Mumbai Chapter E-journal 2014-15 Issue - 3

7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3

http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 1/21

Nepal etc. These things aresome way connected and

affected to all of us. They arealso making us think thatnothing is perpetual andchange is constant. Alwayslook and embrace thechange, tune to and with itand the world would be abetter place to live.Talking about change, oneshould not expect others tochange and not themselves,David Brin has commentedbeautifully in relation withsecurity – “When it comes to

privacy and accountability,

people always demand the

former for themselves and thelatter for everyone else.” I guess time has come tochange the mindset in theever changing world of “The

Internet of Things”.

“It used to be

expensive to

make thingspublic and

cheap to makethem private.

Now it’s expensive to make

things private and cheap tomake them public .” ClayShirky, Noted internetscholar and Professor fromNew York University hassaid this. This is whathappening in today‟s world.More and more personaland private information isbeing shared over internetand users are not takingenough measures inprotecting it. Theinformation being availableso easily that anyone can findout about other person‟sdetails on where he wasborn, his birthday, schooland college attended, jobsand companies joined andleft, likes and dislikes etcwithout aware that this datacan be used whenever andwherever and without theirknowledge.This is the power ofconnectivity in today‟s worldthanks to a phenomenoncalled Internet which startedmore than three decadesago. No one really thoughtthe power of Internet thenand even now. ISACA

Mumbai Chapter is takingprecisely this theme “The

Internet of Things” for its 19th Annual conference which is

being scheduled on August 1and 2, 2015 in Hotel WestinGarden City, Goregaon. Theconference will bringSecurity professionals,Auditors, Consultantstogether to listen to somegreat speakers from industrytalking about various aspectsof “The Internet of things” orshould it be called “TheInternet of Everything” Lookforward to see you there.The chapter‟s new office isnow fully functional. Wehave conducted andcompleted first CISA ReviewCourse in the new premisesalong with mock tests. AlsoCISM Review Course hasalso been completed. COBIT5 Foundation and PCI DSSVer 3.0 workshop have alsobeen conducted during lastquarter. All the courses andworkshops were appreciatedby the attended participants.Various speakers havegraced the Saturday Chaptermeetings in the premises forthe chapter members. Weare now looking forconducting more and moremeetings and workshops forthe benefit of the membersin the coming days.Lot of things are happeningin the outside world.

Historic Iran nuclear signoff,Greek Bailout, Earthquake in

Message From The President

isaca @ mumbaiE - J O U R N A L ( F O R I N T E R N A L C I R C U L A T I O N O N L Y )

V O L U M E 2 , I S S U E 3

INSIDE THIS

EDITION

Message From The

President

From The Editor’s

Desk

Get Connected ToISACA Mumbai

Chapter

News Update

Interlude

Corporate Espionage – the insider threat

Social Media Usage InThe Enterprise

Vendor riskassessment

SecurityConsiderations while

Procuring BYODSolutions for Mobile

Phone/Tablets

ISACA Conference

Photo Gallery

Solution To LastEdition’s Crossword

Puzzle

Crossword Puzzle

-Vaibhav Patkar

© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.

https://www.linkedin.com/ISACAMumbai

https://twitter.com/ISACA_Mumbai

https://www.facebook.com/IsacaMumbaiChapter



I S A C A @ M U M B A I

by a work shop on 31st July. As per the

ISACA IT Risk/Reward Barometer 2014

survey 43% believe IOT is likely to be

one of the major thrust area and

impactful from a future business plan

perspective. 60% believe that Bring your

own wearable or Bring your own

Device (BYOD) is risky. The

conference has received a good

response and seats are getting filled up

fast. Wish all the members happy three

days of networking.

For any feedback/articles/criticism/

suggestions, please leave a message to

[email protected]

This may be probably

my last editorial this

financial year. We are

in the midst of times

wherein every other

day we read of a hack /data breach.

Thus data protection has become one

of the key concern area to most

companies. Corporate world is

gearing up to face this challenge of

protecting their data.

People post pictures of themselves

and their friends wherever they are

with the different location. “Selfies”

have become so popular and the

Profile picture are being changed by

individuals on a daily basis. Is your

picture posted on Facebook or

WhatsApp safe? Once you post it, it

is in the server of Facebook or

WhatsApp? Whom does it belong to

now? You? Where is the Server

hosted? Which country does it

belong? So many questions? No real

answers. These questions perhaps

may be answered in the ensuring

ISACA Mumbai Chapter Conference.

Interestingly the key theme of ISACA

Mumbai Chapter‟s Annual

Conference scheduled on August 1st

and August 2nd is “IOT” – Internet of

Things”. The conference is preceded

-Latha SunderkrishnaneJournal Editor, ISACA Mumbai Chapter

From the Editor’s Desk

News Update from the Editor’s Desk Logjam – This New Encryption Glitch Puts Internet Users at Risk

After HeartBleed, POODLE and FREAK encryption flaws, a new encryption attack has been emerged over the Internet that allowsattackers to read and modify the sensitive data passing through encrypted connections, potentially affecting hundreds of thousands ofHTTPS-protected sites, mail servers, and other widely used Internet services.

A team of security researchers has discovered a new attack, dubbed Logjam that allows a man-in-the-middle (MitM) to downgradeencrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys which can be easily

P A G E 2


Get Connected to ISACA Mumbai Chapter

Given that the entire focus is now shifted to the social media ISACA Mumbai Chapter has attempted to create itspresence in twitter, Facebook and LinkedIn. However, no such initiative would succeed without your cooperation andparticipation. Please get connected!

Get socially connected with ISACA Mumbai Chapter in the following manner:




mailto:[email protected]


http://thehackernews.com/2014/04/heartbleed-bug-explained-10-most.html


http://thehackernews.com/2014/10/poodle-ssl-30-attack-exploits-widely_14.html


http://thehackernews.com/2015/03/freak-openssl-vulnerability.html




















V O L U M E 2 , I S S U E 3 P A G E 3


decrypted.

Source http://thehackernews.com/2015/05/logjan-ssl-vulnerability.html

Source https://weakdh.org

Cyberattack Exposes I.R.S Tax Returns

Criminals used stolen data to gain access to past tax returns of more than 100,000 people through an application on the InternalRevenue Service‟s website, the agency said on Tuesday. Using Social Security numbers, birth dates, street addresses and other personal information obtained elsewhere, the criminalscompleted a multistep authentication process and requested the tax returns and other filings, the I.R.S. said. Information fromthose forms was used to file fraudulent returns, the I.R.S. said, and the agency sent nearly $50 million in refunds before it detectedthe scheme.

Source http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html?_r=1

Gaana.com reportedly hacked, details of 10 million users allegedly scraped

One of India‟s most popular music streaming service, Gaana.com, has been reportedly hacked. The site is currently down for

maintenance, with no official statement given out yet. A Pakistan-based hacker has claimed responsibility for the hack and claims

details of 10 million users including their email address, date of birth and other information has been scraped and made avai lable

in a searchable database.

The hacker, Mak Man, claims he can get all details of users by entering an email address. He claims his exploit has given him access

to information about 10 million users of the service. Of course, the claims remain unverified at the moment.

Source: http://www.bgr.in/news/gaana-com-reportedly-hacked-details-of-10-million-users-allegedly-scraped/

http://thenextweb.com/insider/2015/05/28/indian-music-streaming-service-gaana-hacked-millions-of-users-details-

exposed/

Ola Cabs Hacked And Users Credit Card Details Comprised

Ola Cab is a taxi service, which is been hacked by a group of hackers called Team Unkown. The group posted a thread on sunday

in Reddit claiming that they have hacked Ola Cab database including all the information of the users such as credit card

transaction history, vouchers etc.

Source: http://www.latesthackingnews.com/ola-cabs-hacked-and-users-credit-cards-details-comprised/

Kaspersky Lab cybersecurity firm is hacked

One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers.

Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.

It said the intrusion involved up to three previously unknown techniques.

The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.

Although it acknowledged that the attackers had managed to access some of its files, it said that the data it had seen was "in noway critical to the operation" of its products.

Source: http://www.bbc.com/news/technology-33083050

http://thehackernews.com/2015/05/logjan-ssl-vulnerability.html


https://weakdh.org/

https://weakdh.org/

http://topics.nytimes.com/top/reference/timestopics/organizations/i/internal_revenue_service/index.html?inline=nyt-org



http://topics.nytimes.com/top/reference/timestopics/subjects/s/social_security_us/index.html?inline=nyt-classifier


http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html?_r=1


http://www.bgr.in/news/gaana-com-reportedly-hacked-details-of-10-million-users-allegedly-scraped/


http://thenextweb.com/insider/2015/05/28/indian-music-streaming-service-gaana-hacked-millions-of-users-details-exposed/



https://www.reddit.com/r/pwned/comments/38vvkm/olacabscom_hacked/



http://www.latesthackingnews.com/ola-cabs-hacked-and-users-credit-cards-details-comprised/


https://blog.kaspersky.co.uk/kaspersky-statement-duqu-attack/


http://www.bbc.com/news/technology-33083050














https://weakdh.org/





P A G E 4


Interlude2. Reactive (Happening withinthe company) – Be aware onwhat is happening inside thecompany. Have continuousmonitoring mechanism, whichcan be used for improvingsystem effectiveness and takingdisciplinary action in case of

violation.

3. Awareness (Deterrent) – People are the most criticalpart of the system. It is very

important to make usersaware of the informationsecurity concept about WHY,

WHAT, WHERE and HOW.

One needs to ensure thatorganization Security Policiesalign with the requirements ofthe business. Needless to say,regulatory and statutorycompliance requirements aremandatory in nature.

Q: How has being certified

helped you enhance your

career?

A: Yes. I am a certified CISMprofessional. It has definitelyhelped me to increase myprofessional knowledge, whichI can use it in my job. It hasalso helped me to collaboratewith the same professionalinterest group and share

information.

Q: Do you arrange forsecurity awareness

trainings? How often are

they conducted in your

organizations?

A: We do arrange security

awareness trainings. We

conduct formal and informal

trainings in groups as well as

establish connect with

Q: What is your visionfor security for your

organization for 2015?

A: In the world oftechnology, every day thereis innovation. Everyinnovation is giving newopportunity as well asgenerating new threat. Dueto increase in the adaption ofinternet, users are expectingevery information at their

finger tip.

As we are in financialservices industry, it is veryimportant to provideservices to the customersand make them self-sufficientby providing self-service

avenues.

Our vision is to provide auser-centric trusted and

secure environment toemployees to conductbusiness, while ensuringprotection of RCLinformation assets including

customer data.

Q: How strong is yourISMF team and howmuch is the support fromthe management in yourcompany? How often doyou meet to discuss

Security issues?

A: We have a very stronggovernance framework andISMF defined and practiced,that is having the top downapproach. There is a visibilityfrom end user up to theBoard and all issues andincidents are discussed atdifferent levels. There is an“Information Security Risk

Management Committee”

defined which discusses allinformation security relatedissues and tries to addressthem, in the most optimalmanner. All the risks arereported to RiskManagement committee,

which reports to Board.

Q: What do you thing isthe bare minimumcompliances that need to

be followed to avoid anysecurity breaches?

A: Security of Customerinformation and companyconfidentiality is in thecentre of the InformationSecurity ManagementSystem. Protection andmonitoring of confidentialinformation, is the minimumcompliance that should bekept in mind, while defining

information securityprogram. Being in financialservices industry, we givepriority to safeguard andmonitor customer personalinformation and company

confidential information.

There are 3 parallel pathswhich helps in avoiding

security breaches

1. Proactive (Learning fromthe external world) – Everysecurity professional needsto be aware of the securitytrends, threats,vulnerabilities published,breaches that occur in theexternal world etc. This willhelp the Company to initiateproactive action plans before

responding to any incident.

Brief Bio

About The

Interviewee

Anuprita Dagga, CISMis the ChiefInformation SecurityOfficer of RelianceCapital Ltd.

-Anuprita Dagga



P A G E 5V O L U M E 2 , I S S U E 3

Brief Bio

About The

Writer

Murli has 22 years of richIT experience as astrategist, innovator andvisionary. He has beeninstrumental in setting upinformation securitydivisions forMashreqbank (Dubai),ICICI Bank and Reliancecapital group. He hasconceptualized &implemented variousinnovative data securitysolutions like Data flowanalysis for data security,worked on key securitysolutions like PrivilegedIdentity management,

SIEM / SoCenvironments, Incidenceresponse and recovery(including forensics) andmany more.

Murli also worked asChief Technology officerfor Apollo MunichHealth Insurance,Reliance Life Insurance &Reliance Internationalbusiness


fastest channel to reach

anyone. Social media has also

made access to information

easy.

Q: How do you keepupdated with the latest

security news?

A: Security news subscription,

conferences, events, social

media groups etc.

individuals and also conduct

refresher security awareness

sessions for all users.

Q: What are the

challenges that you faceat your workplace?

A: Keeping pace with the

developments of technology

and maintaining dynamic

security along with

technology developments is

one of the major challenge.

Q: How has social media

impacted you

professionally?

A: Social media helps one to

know all the developments

happening in the external

world. In such a busy

working schedule, it is the

Corporate Espionage – the insiderthreat

-Murli Nambiar

activities,” Assocham notes.

According to the survey,respondents also said they install“spying gadgets” like close-circuittelevision cameras, audio andvideo surveillance devices, voice-

recorders, and global positioningsystems, in their offices to keeptrack of employees.

Another Pwc report of 2013 callsIndustrial Espionage “India‟s new

booming sector”. As per them,

almost 80% of all CEO usedetective and surveillance agenciesto spy on ex and currentemployees in addition toattempting to get competitiveadvantage.

And the Federation of IndianChambers of Commerce andIndustry (FICCI) called businessespionage the 9th biggest threatto Indian companies in itsannual India Risk Survey in 2014.

Evolution of corporateespionage The history of corporate/industrial espionage probablydates back to the sixth centurywhen Justinian, the Byzantineemperor hired two monks to visitChina.

Introduction All warfare is based ondeception. There is no placewhere espionage is not used.Offer the enemy bait to lure him----Sun Tzu (~ 400 B.C)

It's all about Information.Corporate espionage can bedefined as the collection ofillegal and unethical activitiesundertaken by companies /organisations to gather, analyseand manage information oncompetitors with the purpose ofgaining corporate edge in themarket.

Trade secrets, commercialsecrets, intellectual property andstrategic information like a

potential bid price are typicallytargeted during industrialespionage.

In the early days, as now, spiesdeal mainly with information.They don‟t care where the

information comes from, it‟s

irrelevant as long as theinformation is compromised. Intoday‟s workplace much focus is

given to the technical controlslike implementing firewalls andIPS. While these are good toprevent the traditional hackers,this does not mitigate the risk of

employees working as spies forcompetition: the INSIDERTHREAT.

The Associated chamber ofCommerce and Industry ofIndia (Assocham) did a survey in

2012. “Over 35 percent ofcompanies operating in varioussectors across India are engagedin corporate espionage to gainadvantage over theircompetitors and are evenspying on their employees viasocial networking Web sites,”

Assocham said in its report.Assocham made a strongerclaim that about 900respondents said they plant amole in other companies,usually as receptionists, photo-

copiers and other low end jobs.

About 1,200 respondents saidthey use detectives andsurveillance agencies toconstantly monitor theiremployees‟ activities and

whereabouts, using moles andsocial media, according to thesurvey. About a quarter ofrespondents said they havehired computer experts forinstalling monitoring softwareto hack and crack the networks,track e-mails of their rivals andperform other covert

http://www.ficci.com/Sedocument/20276/report-India-Risk-Survey-2014.pdf





P A G E 6


Human intelligence In some areas of espionage,however human agents are stillthe best information sourcesbecause they can supply themissing factors – the intentions ofthose in command. Human

espionage can reveal the waycompetition management think – what they know, what they wantand what they plan to do toachieve their objectives.Traditionally companies spendtheir time and effort in investingon technology controls to preventonline leakage howeverinformation is often leaked whenthe employees interact with thehead-hunters and theircounterparts in other companies. Juneau Kastuva, President and

CEO of a Canadian security firm,Northgate estimated that 85 to 90per cent of incidents involve theassistance of an insider who haslegitimate access to theinformation. Thus, the mostcommon agent of industrialespionage often emerges as aninsider – an employee.

Double agents In this shadowy world of cat andmouse, perhaps the mostdangerous figure is the doubleagent – the spy with dividedloyalties or personal greed whotrades information betweencontenders and who betrays bothsides with equal ease.To win an espionage battle,counterintelligence forces have towatch for the tell-tale signs ofsomeone who quite does notbelong, who shows too muchinterest in sensitive places orpieces of information, whoassociates with people who maybe suspect, or whose backgrounddetails seem less than convincing.

Implications of corporateespionage Corporate espionage alwaysdamages the interests of thecompany, in some casesirreparable. Leaking of critical andconfidential data would give anadvantage to the competition.Innumerable cases are knownwhere companies had disastrousresults by virtue of stocksdropping, legal and financialimplications and loss of customer

confidence. The leaking of

He wanted them to gain anunderstanding of silk productionin China and to smuggle silkwormeggs and mulberry seeds out ofthat country to break itsworldwide monopoly on silkproduction. The monks smuggled

these eggs and seeds out of Chinain hollow bamboo walking sticks.

Subsequently, in a few years theByzantine empire, replaced Chinaas the largest silk producer in theworld. Over the centuries,industrial espionage practicescontinued to play a major part inthe development of manycountries. In the 18th century,alarmed by the industrial andmilitary supremacy of GreatBritain, France sent its spies to

steal the latter's industrialsecrets…

Various types of espionageactivities Technology has transformedcapabilities of spying with additionof miniature cameras,photocopiers disguised as pens – able to copy docs simply by rollingover them – sensitivemicrophones to pick up andrecord conversations andsatellites that survey entire globe.

Technical intelligence Radio signals, codedcommunications, recordedconversations, intercepted callsand emails, satellites surveillanceand electronic monitoring of shipand aircraft movements allcontribute to increasinglycomplex intelligence pictures.Proliferation of smartphones isanother factor.

Commercial and tradeintelligence

Corporate espionage has becomemore prominent. Nationalinterests are now more focussedon economic strength andcommercial competition.Information regarding strategy ofa competitor is invaluable and isoften used as a tool whennegotiating contracts withcustomers. Corporate espionagecan be online or offline, howeverwith advanced technology, onlineespionage in the form of hackinghas been steadily gaining

popularity.

confidential product plans,marketing strategies, and financialdocuments could cripple anorganization and bring it toextinction.

Tools and modus operandi

Tools – various tools could beused by spies- using invisible ink,secret messages using codes andciphers, Microdots, telephonetaps, hidden microphones,miniature cameras, infraredcameras, Night vision systems etc.Many spying devices are availableon the Internet at dirt cheapprices – motion activated videorecorder, Voice recorder, GPStracking key, Watch cameras, PC /Cell monitoring etc.

Modus operandi- Dumpster diving – the process

of looking at thrash to identifyconfidential data not disposedof correctly.

Carrying off confidentialdocuments and joiningcompetitors. Emailing / copyingconfidential information – through unprotected USB /Internet access

Social engineering attempts – attempting to misguidepersonnel in sharing their

sensitive data to either domalicious acts unknowingly orpart with their credentials.

Joint ventures with competitors- During the process ofexpanding the state-of-the-art, acompany must divulge its‟

knowledge of the state-of-the-art

Open source information – newspaper articles, corporateannual reports, court filings,marketing info etc.

Hiring of employees – the

easiest aspect for getting quickturnaround from an employeeis recruit from a company whohas them. And when they comeon board it would be difficultnot to use the knowledge theyhave gained from previouscompany when for ex. biddingfor the same project.

Information collectionspecialists – trade shows,conferences - They usually actlike potential customers orfellow researchers to elicit


More About

The Writer

Murli is widelyacknowledged as adomain expert and hasbeen featured in numberof publications. He'sspoken at many seminarsand conferences as well.In addition to winningmany awards inInformation securityspace. He was alsofeatured in a book ““The

Innovative heroes”,

published byDynamicCIO.com -2013" as one of Top 30CIO's.In his spare time, Murli isan avid photographer,loves to travel, read andlisten to old Hindi music.



V O L U M E 2 , I S S U E 3P A G E 7


of any potential breach. TheCCTV and any biometric /access control device logsshould be regularly monitoredto identify cases. Ifhousekeeping team seem to bespending more time in specificareas than required, review the

reasons for it. Physical scans / verification

– conduct regular checks ofsensitive areas like CEO office,Board and conference rooms todetect any unauthorised devices(Wi-Fi access points ORrecording devices or bugs) ,especially before any importantmeetings take place there.

New employees expressinginterest in areas / domains notrelevant to his scope of workcould be potential indicators of

spying. Especially if theemployee has joined fromcompetition. Monitor theinternet browsing, emails andphone calls made of theseemployees in such cases.

How to prevent corporateespionage Information security efforts musttherefore address comprehensivecountermeasures that are ascomprehensive as the methodsemployed against them. There are

four parts of a comprehensivesecurity effort that enhance andsupport each other: Technical,Operational, Physical, andPersonnel Security.

Technical security – reduce thevulnerabilities present inelectronic systems. In addition toimplementing perimeter leveldefences like Firewall andIntrusion prevention systems,InfoSec teams should start payingattention to the other factors like

protecting the data „within‟ theenterprise. Identifying andclassifying critical and confidentialdata and then implementingsecurity solutions to assign rightsand identify leaks should be topmost priority for them. Thedatabase team is privy to lot ofinformation and adequate controlsto monitor and audit theiractivities should be in place.Encrypting critical data identifiedin earlier step is key in ensuringdata is protected even if

compromised.

information from people thatare all too willing to give it up.

Most importantly of all – Insider Threat

Most of incidents involve the useof insiders to steal information.

Getting an insider to collude canoccur in various ways. Theyinclude people who havebecome disillusioned with it,greedy people who can bebought, people who can becompelled to cooperate bythreats to family, blackmail andother ugly means. Hatred ofthose in power, a desire tohasten their downfall or needfor money or goods in shortsupply. For some, excitementand adventure could be enough

reason.

In many corporate organizations,especially the big corporates it‟s

easy for people with maliciousintent (read spies) to get a job.Once they get in they are usuallynot monitored or given acooling period before havingaccess to confidential data. Thus,they go undetected in theirthefts of information. Thishighlights the issue ofInformation security teams

spending time and money inprotecting their perimeter butdon‟t have sufficient internal

controls.

Getting jobs in housekeepingand other supporting functionsis easy enough. Then, at nightthe floor is theirs to play. Anydocument kept in the open, filesnot locked away are easymaterial to copy and steal. Theywould also go through thethrash to see documents thatare not properly shredded andgather information. This is a veryeffective way of gettinginformation without raising anysuspicion. In some cases, if theperson posing as a housekeepingpersonnel is actually someonewho knows computers could trybreaking into open systems ORtrying to login to systems isanother easy way. Unless theorganization has trained theirpersonnel to identify these kindsof break in‟s (for ex: showing

the last login time and noticing

the unearthly login time Or

account being locked out whenthey come in the morning towork) it‟s an easy process for

the spies to keep trying untilthey strike it lucky.

In some cases, they could alsokeep bugs to records

conversations that take place,especially in sensitive areas likethe board or conference rooms.These are areas which arerarely scanned for these devicesand could provide unimaginablebenefits to the spies. A boarddiscussion discussing sensitiveand critical corporate topicswould probably be of immensebenefit to competitor.

Some methods to detectespionage activities

Identification or Increasein spear fishing activities - The spear phishing emailscontain either a maliciousattachment or a hyperlink toa malicious file. The subjectline and the text in the emailbody are usually relevant tothe recipient.

Establishing a presence – usually firewalls detectinbound traffic but allmalicious activities requirethe exploit to report back to

C2C (command and control)server. Backdoors that mimiclegitimate traffic and use SSLencryption socommunications are hidden inencrypted SSL tunnel. Thisbackdoor will communicateto the server and Infosec / ITteams need to monitoroutbound traffic in thisregard.

Privilege Escalation – oncea presence is made the nextstep is to allow access to

more resources within thenetwork. The malicious userwill try and dump thepassword hashes to obtainlegitimate user credentials.Identifying any activityattempted using thesepassword cracking would helpdetect a malicious activity.

Monitor logs and physicalaccess control devicesregularly – monitoring thelogs of various servers,firewalls and IPS and

developing correlation ruleswhich can highlight possibility



P A G E 8


Personnel security - All newpersonnel joining the organizationshould undergo a backgroundverification check. In cases wherethey would be handing sensitivedata there should be a cooling offperiod during which these

employees should not be providedaccess to confidential data.Criminal background verificationis a must for all employeeshandling or managing sensitivedata like Information securityprofessionals, database and ITteams, processing teams etc.

Ensuring stringent background andcriminal checks are done even forcasual employees or contractorsoffering housekeeping and physicalsecurity services is mandatory.

Implementing and monitoringCCTV records, especially ofcritical areas like CEO office,board or conference rooms toidentify any malicious acts bythese personnel during the night isa must.

Hiring and Exit formalities shouldbe in sync with IT processes, anyabsconding or resigned staffshould be deleted from systemswithin defined time frame. In caseswhere potential job hunting isdetected the employees should bemonitored closely to ensure datais not being taken out. Contracttermination of external vendorsand more importantly theirpersonnel who have access tocritical data of the organizationeither for processing or havingaccess to FTP /web systems inabsconding state or resigning fromservices should be notified to theorganization immediately.

Another major factor that needsto be addressed is the

proliferation of social media.Some of the most popular oneslike LinkedIn, Facebook andTwitter are easy channels forpeople to vent out their griefs andfrustration, likes anddislikes….key information for

competition to source thesepeople to work for them and usethem as spies. Inadvertentdisclosure of corporateinformation could also lead toserious repercussions for theorganization. It‟s important for

organizations to have a policy and

Operational security – Givingdata access to new employees on“need to know” basis prevents

the unnecessary proliferation ofinformation. Likewise, policies onrestricting the use of opencommunication lines, such as the

Internet and telephone systems,reduces the potential for thecompromise of information.Other operational security issuesinclude enforcing your ownsecurity policies on your vendorsand suppliers.

Critical departments within theorganization should be reviewedfor potential ways the informationcould be maliciously used. Theremust be a clear understanding ofwho to disclose information to,

and under what conditions andcontrols.

A strong security awarenessprogram is the foundation for astrong operational securityprogram. People must know whatinformation they should protect,and specifically how to protect it.Everyone should be encouragedto identify & report anyquestionable circumstances, andknow who to report it to.

Physical security - Physicalaccess to facilities should becarefully regulated and controlled.This includes limiting the access ofvisitors and contractors, as well asyour own employees. Allemployees must wear accessbadges that indicate their status,such as employee, temporary,visitor, or contractor. This featurehelps to reduce the threat ofpeople overstating their authority.Obviously, there should be anoperational security policy thatencourages all people to look at

badges. Top management shouldlead by example and wear / displaytheir badges at all times. Anotherphysical security issue to beaddressed is the control ofgarbage. Locks on office doorsand file cabinets frequently gounused in many organizations.Clean desk policies, that requireall sensitive information to belocked up, must also be enforced.Clear screen policy should beenforced.

awareness session for theircorporate staff.

Instances of corporateespionage and the damagecaused – global / India

An Article in ComputerWeekly

in 2013 highlights a large andsophisticated cyber-attackinfrastructure that appears tohave originated in India. A groupof attackers, based in India seemto have employed multipledevelopers to deliver specificmalware for private threatactors, according to a report bymalware analysis firm NormanShark.

Analysis of IP addressescollected from criminal data

stores showed that attackstargeted victim in more than adozen countries.

„Shastrigate‟ - named afterShastri Bhavan which housednumber of ministries - therecent leaks of documents fromthe Petroleum and Gas Ministryand later the Coal, ForeignInvestment Promotion Board(FIPB), Power, Coal and Newand Renewable Energy. DelhiPolice‟s Crime Branch arrested

five persons, reportedlyincluding two governmentofficials and a journalist, forallegedly leaking classifieddocuments from the petroleumministry.

Two forged identity cards of theMinistries of Coal and Powerand copies of various official/secret documents were seizedfrom his possession. Total of 16people were arrested in theespionage case.

APT1 – China‟s cyber espionage

units – they have been activesince 2006 and have targetedmore than 141 organizations,having stolen more thanhundreds of terabytes of datafrom them. They focus oncompromising organizationsacross a broad range ofindustries in English speakingcountries.

In 2001, Procter & Gambleadmitted to a spying operation,alleged to have been carried outover 6 months, on its hair-care




V O L U M E 2 , I S S U E 3P A G E 9


Resources team & working asone close knit unit wouldhelp alleviate the threats ofcorporate espionage.

A detailed and continualawareness program is thebest method to deter many

attacks. If all employees knowwhat to look for, then thechances for the attack to besuccessful are minimized.

References:1 - Akanksha Vasishth and AkashKumar. 2013. “Corporate

Espionage: The Insider Threat”,

Business Information Review, Vol.30. June.2- Ahvi Spindell. 2013. “Industrial

Espionage Threats to SMEsOriginate from Within”.

Thomasnet News. 17 October.http://news.thomasnet.com/IMT/2013/10/17/industrial-espionage-threats-to-smes-originate-from-within/3- http://social-engineer.org/wiki/archives/PenetrationTesters/Pentest-Winkler.html4- http://www.computerweekly.com/news/2240184448/Researchers-uncover-Indian-cyber-espionage-network5- http://

intelreport.mandiant.com/6-http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/

competitor Unilever. Theirplan included going throughUnilever‟s trash in search of

documents.

In the early ‟90s allegations

came to light that Avant! ASilicon Valley softwarecompany, had stolen codefrom a rival company,Cadence Design Systems.

When the chief of productionfrom Opel moved to rivalVolkswagen and was followedby not one, not two, butseven other executives. Opelcried industrial espionage – over an alleged missing bundleof confidential documents – inresponse to whichVolkswagen parried withaccusations of defamation.

Michael Mitchell worked onthe marketing and sales ofKevlar for DuPont until hewas fired in 2006. He offeredto provide his services toKolon Industries Inc, a Koreanform which just happens to beone of two companies thatmanufactures fibers that cantough it out with Kevlar in thetoughness stakes. Afteremailing his new bossesconfidential information onKevlar, he went back to oldcolleagues at DuPont to find

out more. Covert monitoring of

Microsoft by Larry Ellison,head of Oracle who wanted toexpose Microsoft‟s funding of

various public interest groups,used detectives to bribe thecleaning staff at Microsoft atMicrosoft‟s Washington office

to lay their hands ondocuments.

Conclusions

There needs to be aparadigm shift forinformation securityprofessionals to shift fromtraditional informationsecurity mechanisms tofocussed corporateespionage protectiontechniques. In the end, it‟s

always the data andinformation that‟s at stake

and identifying andknowing where it lies inthe organization and

protecting it throughfocussed data securitymechanisms removes thefizz if spies get their handson it.

Many incidents have shownthe impact of Insiderthreats, in some cases 70%of them are related to it. Ifthe Information securityteam focuses on variousother factors in addition totechnical aspects it would

provide a holistic approachand reduce the potentialloopholes which can beexploited. Closecoordination with Physicalsecurity and Human

Social Media Usage in the Enterprise

-K K Mookhey

Facebook, Twitter, LinkedIn, etc.

Why are we opening up

access to social media?

The main objective behind thisstep should be clearly articulated

and spelt out for all employees to

read and understand.What aspects are to be kept in

mind when allowing employees

access to social media from within

the network?

Introduction

With the onslaught of SMAC –

Social Media, Analytics, Mobility

and Cloud Computing – in our

personal as well as professional

lives, we are spending a huge

amount of time and energy in a

digital world. Many organizations

are faced with the challenge of

how to handle and even leverage

these technological innovations

to gain a business advantage.

This article looks at the aspect

of social media and how best an

organization may decide its

stance with respect to allowingor disallowing users, access to

social media sites from work.

What is social media?

Social media refers to those

websites where users interactwith each other based on

common interests and much of

the content is user-generated.

The most common examples of

social media are of course

http://news.thomasnet.com/IMT/2013/10/17/industrial-espionage-threats-to-smes-originate-from-within/




http://social-engineer.org/wiki/archives/PenetrationTesters/Pentest-Winkler.html



http://www.computerweekly.com/news/2240184448/Researchers-uncover-Indian-cyber-espionage-network





http://intelreport.mandiant.com/


http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/

























P A G E 1 0


Brief Bio

About The

Writer

K. K. Mookhey is the

Principal Consultant at

Network Intelligence (I)

Pvt Ltd. and the Instituteof Information Security.

One of the pioneers in

the information security

space, he founded NII in

2001. What started as a

one-man show has

grown into a team of

200+ security

professionals working

across India and the

Middle East with the

who‟s-who of industry aslong-term clients. He is

the author of two books

on security – Linux

Security & Controls and

Metasploit Framework as

well as numerous

articles. He is one of the

first Indian security

researchers to have

presented at Blackhat

USA in 2004. His

experience and skillsets

encompass IT

Governance, Information

Security Strategy,

Forensics, Fraud Risk

Management, and

Business Continuity. He

holds the CISA, CISSP,

CISM, CRISC and PCI

QSA qualifications.

Promote employees to use their

common sense rather than treatthem with kid gloves.

6. Other safeguards

The other guidelines we have inour acceptable usage guidelinesfor email and Internet should also

flow through to social media –

such as not posting content of a

sexual nature or that which mightbreak the country‟s laws or be

considered racist or offensive.

Overall, the following steps should

be taken:

1. Identify the purpose behind

taking this step and make it

public to all employees

2. Restrict use of social media to

lunch break and after working

hours

3. Monitor closely usage of these

sites and alert employees and

their managers if usage crosses

acceptable thresholds

4. Educate employees to the risks

of social media – even at home

– this will encourage them tofollow proper safety

precautions both at work and

at home

5. Create an acceptable set of

guidelines and circulate them

to all employees

Further reading:

Social Media Strategy, Policy andGovernance

Enterprise Social Governance Social Media Policy Template Social Media Policy Template Another template (4 pages)

There are certain risks that we

must be aware of when allowingaccess to social media

1. Loss of productivity

One of the concerns that senior

management might have is thatpeople will end up spending toomuch time on these sites and

thereby reduce their focus from

work. Studies have shown that a

large percentage of access tosocial media happens during

working hours even in cases

where employers have notallowed such access on their

networks. This means that

employees in any case accessthese sites using their

smartphones. One answer tothis problem would be to allowaccess to these sites during

specific times of the day – such

as during lunch break as well as

after working hours. This willgive employees a targeted time

during the day when they can

use these sites and reduce theirpropensity to access them using

their smartphones. Whyincrease one‟s data consumption

when the company network

allows me to access these sites

during lunch and after workinghours? We might actually see an

increase in productivity from

this approach.

It is important to closely

monitor social media usage and

bandwidth consumption on a

regular basis to avoid misuse.

2. Security risks

Often the content and links

posted on social media sites can

be used to compromise theuser‟s system via a phishing scam

or malware download. While

this can happen in any case, the

social media interactions happen

with a certain level of inherent

trust – the posts and links are

from friends of mine and

therefore must be valid to some

extent. This can be mitigated by

strong malware controls within

the network as well as constant

employee education. While we

open up social media for our

employees, we should combineit with an awareness campaign

that helps them use social

media in a secure fashion.

3. Employee privacy

Managers must be sensitized to

not cross boundaries of socialetiquette and laws aroundworkplace harassment just

because they are connected

with their peers or employees

over social media. Thisconnectivity can create a false

sense of intimacy where none

might exist and causerelationships to sour. Certain

boundaries must be maintained

in social media interactionsbetween employees – especially

between those in managementpositions and theirsubordinates.

4. Disclosure of sensitiveinformation on social

media

Any instance of disclosure of

company confidential

information on social media

should be handled with strictaction and a strong message

sent that these channels cannot

be used for causing any sort ofharm to the company or its

reputation. Again, the employee

awareness campaigns should

help sensitize people to theproper usage of these channels

and ensure they don‟t

inadvertently disclose insiderinformation even over chat.

5. Protecting companyreputation

What employees post about theCompany should be outlined –

more along the lines of

encouraging them to givepositive insights rather than

listing out too many

restrictions, which might appear

to be a curb on freedom ofspeech. The signal that should

go out is that social media is a

positive technology, andpromoting the Company, its

brand, and its practices on

social media would help createa beneficial image for the

Company and employees.

http://chttp//www.ey.com/Publication/vwLUAssets/Social_media_strategy_policy_and_governance/$File/Social_media_strategy_policy_governance.pdf



http://www.clearvale.com/mkt-nav/en/whitepapers/Enterprise_Social_Governance_2010_02_25.pdf


http://www.itmanagerdaily.com/social-networking-policy-template/


http://www.biba.org.uk/PDFfiles/SocialMediaPolicy.pdf


http://www.ericschwartzman.com/pr/schwartzman/social-media-policy-template.aspx










P A G E 1 1V O L U M E 2 , I S S U E 3


1. Introduction

Companies today have third party contracts with various vendors. Most of the process are outsourced tovarious companies. This is the most convenient and flexible way to work, so that overall managementactivities are limited to just vendor management alone. The quantum of work that is outsourced to thirdparties include not just IT, data management and security providers, but also facilities management(cleaning HVAC – Heating, Ventilation and Air Conditioning) along with any vendor that may have accessto network, data or facilities. However, outsourcing to third parties comes with significant risks such asadverse vendor incidents, and sometimes even penalty from regulators.In today‟s paperless and highly competitive environment, it is in the interest of the company to safe guard

its information Therefore it becomes imperative that the company does everything to manage andmaintain its IT infrastructure. This means a need to evolve a Vendor risk management, which will look atvarious aspects of information security associated with the vendor. This would include management ofrisks right from identifying the vendor, contract management, risk management, Business continuity plansetc. Managing external vendors should be a key competency for every enterprise and can lead to optimallymitigated risk and significant benefits.

In order to establish an effective vendor management process with goals and objectives, the enterpriseneeds to ensure the following:• Vendor management strategy is consistent with enterprise goals.

• Effective cooperation and governance models are in place.

• Service, quality, cost and business goals are clearly defined.

• All parties perform as agreed.

• Vendor risk is assessed and properly addressed.

• Vendor relationships are working effectively, as measured according to service objectives.

2. Approach

1. A Risk assessment needs to be done for choosing the vendors. The controls implemented need to be

evaluated and if need be the policies and procedures need to be audited. The selection procedureshould have been performed with due-diligence. This should be properly documented based on needs

and appropriate criteria.

2. Site visits to the vendor office needs to be carried out. The financial capabilities of the vendor needs

to be assessed, along with previous experience, staff capabilities, any pending litigation or customercomplaints etc.

3. Skill levels and training of the vendor needs to be assessed. This will help in understanding their

capabilities for the contractual work undertaken.

4. Checks for adequate documentation present to convey the program management of the vendors to

the relevant staff of the company.

5. The contracts needs to be well defined. It should be vetted by internal/external legal counsel.

6. Adequate staff should be deployed in order to fulfill the requirements of the contract. The third party

staff should be well aware of their roles and responsibilities. They should also have had confidential

agreements signed.

7. All records pertaining to activities needs to be managed in an organized manner, Methodologies for

updating and archiving documents need to be defined.

8. The results of the activities performed by the vendor needs to be reported to the management on a

timely basis. This should be reviewed by Management periodically. There should be a feedback

mechanism in place. Thus the performance of the vendor needs to be evaluated continuously.

9. All precautions need to be taken to ensure that the data of the organization is protected and secure

at all times.

10. The organization should ensure that compliance is met and all policies and procedures are complied

with. It should also plan for regular audits of the third party process and ensure that those are also

Vendor risk assessment-Latha Sunderkrishnan

Brief Bio

About The

Writer

Latha Sunderkrishnan(CISA, ISO27001 LA,COBIT 5 Foundation) isa Senior Consultant withNetwork IntelligenceIndia. She is anElectronics Engineer withmore than 17 years ofexperience in IT withvarious multi-nationalorganizations workingwith a wide variety oftechnologies. She hasworked in InformationSecurity Audits andConsulting, InformationSecurity trainings,Project Management,

Quality Assurance andCustomer Support. Shecan be reached [email protected]




P A G E 1 2


complied with at all times.

11. In case if the outsourced vendor is a foreign company, then the organization should take care thatthe legal requirements are met with. There should be penalty clauses or fines that can be adhered to.

12. The vendor organization should also have Business Continuity Plans and Disaster Recovery plans in

place in case of any disruptions. It should ensure that the activities are performed in case of a

disaster.

3. COBIT 5 framework for Vendor Management

COBIT 5 has defined a fame work for Vendor Management. Here it defines the roles and responsibilitiesof the different stakeholders in the contractual agreements. The RACI (responsible, accountable, consulted

and informed) chart is as shown in the figure below:

C-level Executives - They are accountable for the vendor management process depends on the scale ofoutsourcingBusiness Process Officers - Business Process Officers should be actively involved in the vendormanagement life-cycleProcurement - Many responsibilities within the vendor management life cycle belong to the

procurement functionLegal - To effectively mitigate vendor-related risk, the legal function should be involved throughout theentire vendor management life cycle.Risk Function - The risk function should be consulted throughout the vendor management lifecycle toobtain a complete view on risk that is related to the relationship, services or products.Compliance and Audit - The compliance and audit functions should be consulted throughout the vendormanagement life cycle to ensure compliance with internal and external laws, regulations and policiesIT - The IT role is significant because its members may be more familiar with the products and servicesand their market availability.Human Resources - The HR stakeholder should be consulted throughout the vendor managementlifecycle to ensure compliance with the enterprise‟s worker statutes, local regulations, and code of

conduct and labour law.

4. Managing a Cloud Service Provider

Cloud computing security is the set of control-based technologies and policies designed to adhere to

Vendor Management RACI chart

Contractual Relationship Life Cycle

Stakeholders

Setup

Contract

Operations

Transition-Out

C-level executives A A A A

Business process

owners

R

R

I

R

Procurement R R I R

Legal R

R

C

C

Risk function C

C

R

R

Compliance and audit C

C

C

C

IT R R R R

Security R

C

R

C

Human resources (HR) C

C

C

C





regulatory compliance rules and protect information, data applications and infrastructure associated withcloud computing use.

The cloud is a shared resource, hence identity management, privacy and access control are of particularconcern. With more organizations using cloud computing and associated cloud providers for dataoperations, proper security in these and other potentially vulnerable areas have become a priority fororganizations contracting with a cloud computing provider.

Cloud computing security processes should address the security controls, the cloud provider willincorporate to maintain the customer's data security, privacy and compliance with necessary regulations.The processes may also include a business continuity and data plan in case of a cloud security breach.

Cloud using the public cloud effectively is an IT governance issue. The impact cloud is having on theorganization is initially assessed in order to devise a strategic and workable approach.

It is important to identify and categorize data already within the organization and the business processesaround them. For example, storing credit card data in house currently and outsourcing the storage wouldmean an increased scope for PCI DSS (although outsourcing the payment transactions themselves to anapproved provider usually makes sense). Storing personal data could have legal ramifications, if stored orreplicated outside the country of the data subject

Firstly there is a need to address the new threats that virtualisation poses within cloud computing. Thesecond is the ability for SMEs to perform due diligence effectively for an outsourced provider, given theyrarely have in-house technical or legal expertise.

Google Plus cloud service helps me keep my contacts, calendars, photos, etc., synchronized across myvarious computing devices. Thus I like this feature and service. When suddenly I had to switch mobiles asmy previous one was not working, I got back all my data intact from this service. But I am also carefulabout the data I put there.

5. Metrics for SLA

SLA would define the service level agreements between the vendor or the service provider and the

company. It would also include how the services would be measured. This would define if the

expectations are met in terms of the services provided.

How to go about choosing the various factors for the Metrics?

Firstly there is a need to define the KPIs that could be used to measure the Metrics. Secondly it would

include the type of KPI like

Objective – Number of Major incidents in a month

Subjective – Improvements in client satisfaction.

When selecting KPI, need to understand what the indication of value to the customer is:

Enhanced performance in the business

Constraints removed from the business

Availability & Reliability of the Service

Performance of the service

Security of the service

Service Continuity (ability to recover from disaster)

Metrics type could be

Service metrics which reflect the end-to-end quality of service or „user experience‟

Process metrics to inform the service provider and customer of the effectiveness (achieving goals) and

efficiency (use of resources) of key activities within the service delivery function.

Technology metrics to inform the IT provider at the component level, enabling the identification of

issues and improvement opportunities




P A G E 1 4


Penalty clauses should be used only if

there is a reasonable lack of performance

if it is only the service providers fault, which means that the company is not at fault at all

It should be done in a fair manner with overall understanding of the incident.

Above all else, never forget the #1 rule – Nothing should be included in an SLA unless it can be effectively

monitored and measured at commonly agreed points.

6. Third Party AuditsThese can be conducted once in a while depending on the criticality of the services. For these Audits,

the general controls used are:

Risk Assessment - Based on the risks pertaining to Confidentiality, Integrity and Availability, accessshould be provided to the third party. Access control rights can be given based on sensitivity of data.This should also be taken care as a clause in the contract. The Risk Assessment can decide the further

action that needs to be taken.

Screening - Background checks for vendors/partners need to be performed vigilantly. This is veryimportant aspect of vendor management. The company also needs to be checked for its financial viability.Depending on the criticality of the business and contract, audits could also be performed to their existing

information security controls and processes.

Information transfer Agreements between the external party needs to ensure that need to addressthat the transfer of information between both the parties happens in a secure manner.

Selecting clauses in the agreement - Based on the risks assessed, the clauses should be present inthe agreement. Penalty clauses based on the risk identified should exist. Turnaround time should also be

mentioned in the clause.

Access control - Accessing data by the third party contractors need to be monitored at regular

intervals. It should be given only on needs basis and minimum access necessary should be provided.

Confidentiality and Non-Disclosure Agreements - Confidentiality and non-disclosure agreementsneed to be signed by all employees of the third party who are contracted by the organization. This needs

to be reviewed on a periodic basis.

Compliance monitoring - Ensure that the third party complies with all clauses pertaining to security.This needs to be monitored and also they can be audited for the same. This needs to be controlled based

on access and other rights on data.

Termination of the agreement - When the agreement is terminated or the contract has expired andthe company has decide not to extend the contract, the proper controls for this needs to be monitored,All assets should be returned by the vendor, and all access rights removed for the vendor. This again

needs to be part of the contract.

7. Need for an effective vendor risk assessment

An effective and efficient vendor risk assessment provides benefits to the enterprise in terms of:

Delivery of Costs savings

Meeting Stakeholder needs

Risk Management

Assurances of Quality

Standardization

Flexibility and efficiency

IT Security has become an important aspect for any business. Most Companies are not willing to budgetenough for IT security in general and vendor risk assessment in particular, despite the fact that Securityof data processed by the enterprise including vendor resources is pivotal. Data Security may not be theprimary business of any company, so companies do not spend higher amounts for IT security in general

and in particular for vendor risk assessment.

Financial Services companies are inclined to have higher budgets for IT security in general and forvendor risk assessment as compared to other types of companies. This is because regulators havemandated security and confidentiality of customer data processed by these companies, albeit using manyvendors. Consequently, these companies are forced to implement IT security standards. A vendor riskassessment will assure us that a vendor has become conscious of protecting the confidentiality, integrityand availability of the data and the associated information assets. This brings a culture change at thevendor company. Controls of IT security can be implemented only if the management of the vendor





company supports the initiative.

References:http://citebm.business.illinois.edu/TWC%20Class/Project_reports_Spring2006/Business%20Risk%

20Management/Manzoor/project%20report.pdf

http://www.employeeservices.gov.sk.ca/projectsecurity

www.isaca.org Vendor Management Using COBIT 5

Security Considerations while Procuring BYOD

Solutions for Mobile Phone/Tablets-Janak Majithiya

Bring your own device (BYOD) is the latest trend in many companies. Business requirements for Workingfrom Home, accessing E-mail 24*7, instant customer support etc. are increasing and future trend looks likethis is continue to be increasing.

In early 2010, most companies were using BlackBerry as company provided mobile phone device. Fewmonths later smartphone took over all most entire market of BlackBerry. Smartphone has made life easy,user friendly and cost effective. Companies realized going cost of BlackBerry server, user license, devicecost and Service cost. From a security perspective, BlackBerry is reasonably secured due to lots ofsecurity policy options available on BlackBerry Server but too costly as compared to smartphone.

Further it is also a headache for IT team to manage inventory of such mobile devices. There are otherissues as well e.g. finance to maintain book value, depreciation in device is lost or stolen, IT team tomaintain Asset Allocation Form, repair in case device is faulty, coordination with vendor, follow purchaseprocedure etc. After all of these headache and spending lots of money, business users are not satisfied due

to quality of company phone, restriction and controls over company provided phone.

Just to avoid these many hurdles and cost saving, many companies have started allowing users to use theirsmartphone device. However I have seen many companies implemented BYOD policy without eventhinking of “Information Security Risk”.

Risk Assessment (Without implementing any BYOD Security Solution)

I hope above table is enough to alert business stakeholders on information security assurance. No Firewallcan help to prevent Information Leakage if this is not taken care.

So many security companies have developed BYOD security solution. It is important for the company‟s

security officer to choose right solution to protect information. When we think of allowing user owneddevice for official purpose, Follow MUST be taken care:

Threat Vulnerability Business Risk

InformationLeakage throughBYOD

No segregation between“Corporate Information” and

“Personal Information”

There is risk of Informationsharing (Intentional orUnintentional) with unauthorizedperson or competitor due to absent

of security controls over BYODmobile; this may lead to loss ofbusiness / reputation.

User can download any attachments

on BYOD phone memory card.In case of user separation, IT Teamcannot delete files storedon personal memory card.

Single user can configure company‟sE-mail account on multiple mobilephone devices without IT/SecurityTeam‟s knowledge.

Brief Bio

About The

Writer

Janak Majithiya (CISA,

ISO27001 LA) is

having 10 years of

extension experience

in information

security, designing and

reviewing infosec

policies and

procedures,

information security

risk management, ISO/

IEC27001

Implementation and

Auditing, InformationSecurity Audit and

Third Party

Information security

Risk assessment.

http://citebm.business.illinois.edu/TWC%20Class/Project_reports_Spring2006/Business%20Risk%20Management/Manzoor/project%20report.pdf



http://www.isaca.org/








I S A C

P A G E 1 6


1. Ensure company's information is protected on user owned device2. Ensure user‟s privacy. At the end, its user‟s device, company has no rights to monitor what‟s store on

use‟s mobile phone.

Most recognized BYOD Security Solutions are providing THE MOST IMPORTANT SECURITY FEATURECALL – SECURE CONTAINER.

Such tool creates “Corporate Space” within phone memory to segregate the company‟s information andpersonal information. User can access “Corporate Space” through BYOD client installed on their device.

The magic of this control is: “User cannot copy and paste any information from “Corporate Space” to“Personal Space”.

Following are TOP 10 security controls MUST be considered on your BYOD security solution

Security checklist can be further enhanced along with BYOD security solution vendor and security officerbased on need. Once solution is implemented, organization‟s HR team rollout BYOD policy with eligibility

criteria, does and don‟ts etc. There are lots of BYOD security solutions in market; generally CISO function should lead BYOD security

solution assessment.

Visit http://highersecurity.blogspot.in for more information security related blogs.

Sr Control Description

1 Secure Container As mentioned above. Please don‟t even do POC ifsolution does not provide secure container feature. Allbusiness E-mail attachments to store on corporate spaceonly and not on personal space. Copy and paste shouldnot be allowed from corporate space to personal space.

2 Restrict screenshot No screenshot on corporate space

3 Integrate with company‟scentral authentication control

BYOD security solution should be able to integrate withcompany‟ AD to access E-mails. This feature reduce ITteam‟s headache to maintain separate user managementsystem.

4 Remote wipe-out In case of theft of stolen, company‟s IT team should be

able to wipe out device remotely without anybody‟sintervention.

5 Selective wipe-out There should be option of “Selective Wide-out” to wideonly “Corporate Space”. No personal data should be

wiped out.

6 Password Policy Few BYOD Security solutions do ask for “Password”while accessing corporate emails. This is separate fromphone lock password.

7 Device Restriction User should be restricted to configure company‟s emailaccount only on ONE device. In case users attempts toconfigure another device, BYOD security solutionsshould prevent and through alert to securityadministrator.

8 Audit Logs Various logs:

Last sync Date and Time

Device details e.g. Mobile no, IMIE etc

Activity logs

Security logs User ID and E-mail IDAlso check of log retention, access to logs, security oflogs etc.

9 Compatibility Does your solution support IOS, Android, and WindowsPhone etc.

10 User‟s Private data BYOD solutions should not access user‟s private space.Solution should respect user‟s privacy

http://highersecurity.blogspot.in/







ISACA Conference




P A G E 1 8






Photo GalleryFelicitation of 2014 exam passers

The chapter celebrated success of ISACA 2014 exam takers in a glittering felicitation ceremony.Exam passers turned out in a large numbers to receive their momentos and shared theirexperience about plan and preparation for the exam. Special mention of the function is the Songetting his CISA momento in the presence of his mother who is also a CISA and old member ofthe chapter. It was really heartening to see a mother and son holding CISA certificationtogether. The function finished with a dinner which was appreciated by all.

PCI DSS Workshop

Exam passer from Vadodarareceiving the momento

CISA Coordinator andPresident talking to exam

passers

Exam passer getting momento

Exam passer getting momento Exam passer getting momento Group Photo

Happy Exam passer Momentos Mother and son CISA




P A G E 2 0


Solution To Last Edition’s Crossword

PuzzleA B C D E F G H I J K L M N

1 S P L I T K E Y

2 A P B S P I C E

3 A U D I T R I

4 M L H R O S P F

5 M L R O X H

6 I Z E R O D A Y E

7 S N A A T R

8 G R A T K P

9 C C I H P I I

10 R I F T T R11 I D S Q S A T O R A

12 S P D P P C

13 C H A I N O F C U S T O D Y

Career Fair



P A G E 2 1


Crossword PuzzleA B C D E F G H I J K L M N O P

12

3

4

5

6

7

8

9

10

11

12

13

14

15

ACROSS

A-2 Something that blocks the signal

A-5 Computer dept. in old days

A-7 A code that can be used only once

A-12 Access which is not permitted

C-10 L in MPLS

C-14

A risk which remains after applying

countermeasures

E-6

An US Govt Computer SecurityStandard for Cryptography (xxxx

140)

F-4 Objectionable sites are part of this

I-2 A business private social network

M-9 A type of ethical testing ( xxxx box)

M-14The overall performance of a

telephony or computer network

N-7Replicates and spreads over the

network

DOWN

A-4To remove or eliminate the keyfrom a cryptographic equipment orfill device

B-1

A routing technology used by manyfirewalls to hide internal systemaddresses from an externalnetwork through use of anaddressing schema.

D-2 Layer 2 of OSI Model

F-1

A unique name or character stringthat unambiguously identifies anentity according to the hierarchicalnaming conventions of X.500directory service.

F-6 A device that protects the network

E-12 To be used in place of SSL

H-7 An _____ inventory is must for anyorganization

J-7 A widely used authenticationprotocol developed at MIT

L-1Software that allows a single hostto run one or more guest operatingsystems

N-7 A type of malicious code

O-6 A supercomputer

O-12 Message Digest

P-2 A digital certificate containing apublic key for entity

P-10Rendering sanitized dataunrecoverable by laboratory attack

V O L U M E 2 , I S S U E 3

Documents

Mumbai Chapter E-journal 2014-15 Issue - 3