Cybersecurity Awareness

Risks and Solutions Compilation

Section 1 Cyber Security Risks
 1 Cyber Security

2 Data Privacy and Regulations

Contents

3 Threats from third party providers

4 BYO(D)

5 Internet of Things(IoT)

6 Employee Engagement

7 Cloud Computing

8 Social Media Management

Cyber Security
 Setting the context

TRAI, 2015: TRAI website down due to DDoS attack. The alleged hacking took place few hours after the TRAI
revealed the email addresses of over one million people who had written to it expressing their views on a Impacts on Telco
consultation paper on the issue of net neutrality

Gaana.com, India, 2015: Gaana, which is one of the top music streaming sites, has been allegedly hacked by a Pakistan-based Financial Impact
hacker. The hacker, gained access to data that displays the user IDs of users also their passwords and other private details

TerraCom & YourTel, 2014: Personal data of over 170,000 customers – including social security numbers and other Operational Impact
Attack Incidents

identifying data that coulb be used for identity theft – were sitting on a publicly accessible server

Bell, Canada, 2014: Canada's largest telecom firm Bell Canada hit with 22k password breach. The breach occurred after a
third-party supplier's system was hacked Brand Impact

Vodafone,2013: An IT contractor for the firm used his deep access to the telecom giant’s system to copy customer names and
bank account details
Share price drop

BellNortel,2012: Hackers working from China had access to Nortel’s networks since breaching the telecommunication
company’s networks as far back as 2000.Hackers stole seven passwords from Nortel’s top executives, granting them access to
critical data Regulatory Impact

KT Corp., Korean mobile carrier, 2011: Two suspects reportedly earned an estimated $ 877,000 by selling contact
information and plan details of 8.7 million KT subscribers. Almost half of the carrier’s total customers

Page 5
Telecom Regulations make it tougher

National Critical Information Infrastructure Amendment to UASL license IT Act Amendment 2008
Protection
Requirement: Requirement:
Centre (NCIIPC) All telecom service providers need to adhere to DoT guidelines Section 43-A primarily deals with compensation for
Requirement: 41.6 (A), which details the security norms to be followed by negligence in implementing and maintaining reasonable
Government of India, has designated ‘National Critical telco’s operating in India. security practices and procedures in relation with SPI.
Information Infrastructure Protection Centre’ (NCIIPC) of Impact:
National Technical Research Organisation (NTRO) as the nodal Impact: Penalty under IT Act originally capped compensation claims
agency under Section 70A(1) of the Information Technology at Rs 1 crore under section 43. This cap has now been
(Amendment) Act 2008 for taking all measures including A penalty if up to INR 50 crore, will be levied
removed. Section 72A provides imprisonment upto 3 years
associated Research and Development for the protection of CIIs for any security breach caused due to inadvertent inadequacy in
in India. precaution on the part of the licensee prescribed under this and fine upto
Rs 5 lakh for disclosure of
amendment.
Impact: personal information in breach of a
Financial, Operational and Legal impact to the affected lawful contract.
organization How can we help:
How can we help:
How can we help: • Review of the IT and NT infrastructure against requirements
• Data Privacy advisory
• Technology risk assessment of IT and NT infrastructure of UASL amendment, 2011
• Data Privacy solutions • Upgrade and review of Minimum baseline security standard
for IT and NT infrastructure

Page 6
 What leaders are asking about their cyber security readiness?

Could
Couldgaps
gapsororweaknesses
weaknessesinin IsIsour
ourorganization
organization
our
ourIT
ITcontrols
controlsand
andsecurity
security covered
coveredagainst
againstdata
data
be
becontributing
contributingfactors?
factors? leakage,
leakage,loss
lossand
androgue
rogue
employees?
employees?
How
Howwill
willour
ourorganization
organization
How
Howwould
wouldaacyber
cyberattack
attack address
addressthe
thekey
keyrisk
riskareas
areas
affect
affectour
ourreputation
reputationand
and IP & data of
ofsecurity,
security,resilience
resilienceand
and
Control failures security
brand?
brand? data
dataleakage?
leakage?

How
Howwill
willgovernments
governmentsand and Would
Wouldusing
usingthird
thirdparties
partiesor
or
regulators
regulatorsrespond
respondtotothe
the Reputation risk Information risk shared
sharedservice
servicecentres
centres
The success of a sophisticated,
increasing
increasingthreat
threatof
of increase
increaserisks
risksto
toour
oursecurity
security
effective security strategy lies in the and
andIT
ITsourcing?
sourcing?
information
informationrisk?
risk?
ability to look ahead to future
opportunities and threats. Shared Services
Regulatory risk
Centers

Executive leadership should consider whether the organization’s security framework could respond to these
issues:

Page 7
 Cyber security :Evolution of threats – attacks become better funded and
more sophisticated every year
Unsophisticated attackers Sophisticated attackers Corporate espionage Organised crime State sponsored attacks
(script kiddies) (hackers) (malicious insiders) (criminal networks) Advanced Persistent Threat (APT)
You are attacked because you are on the You are attacked because you are on the Your current or former employee seeks You are attacked because you have You are targeted because of who you are, what
internet and have a vulnerability – you internet and have information of value – financial gain from stealing/selling your information of value – for them to sell, to you do, or the value of your intellectual property
represent a challenge or they have a reason for disrupting your IP – or they want to cause disruption for use as blackmail or hold to ransom
business other reasons

State sponsored espionage

APT

Market manipulation
Any information of Competitive advantage
potential value to sell Military/political objectives
networks
criminal

or use for extortion/

ransom:
Cash
Credit cards
Revenge
malicious

Identities
Risk

insiders

Personal gain
Inside information
Stock price
IP
manipulation
Manipulation of
systems
Money
hackers

Industrial espionage
Embarrassment and competitive
Political/social/
advantage
Amusement/ environmental causes
kiddies
script

Experimentation/
Nuisance/
Notoriety
Attacker resources and sophistication
1980s/1990s 20XX
► BrainBoot/Morris Worm ► Concept Macro Virus ► Anna Kournikova ► SQL Slammer ► MyDoom ► Zeus ► Aurora ► Stuxnet ► SpyEye
► Polymorphic viruses ► Melissa ► Sircam ► Blaster ► NetSky ► Koobface ► Poison Ivy ► WikiLeaks ► Duqu
► Michelangelo ► ‘I Love You’ ► Code Red and Nimda ► Fizzer ► Sasser ► Conficker ► agent.btz ► Anonymous ► Flame
► CryptoLocker

Page 8
How big is the problem?

Complaint Complaint total

S.No. Country
% loss ($)

1 United States 90.63% $574,276K

1 2 3 2 Canada 1.38% $14,414K

3 United Kingdom 0.85% $13,005K

1 4
5
India
Australia
0.71%
0.69%
$4,399K
$8,940K

4 Male
Gender Count
137,096
Percentage
52.27%
Female 125,717 47.73%

Age Count Percentage

Under 20 8,796 3.4%

5 20-29
30-39
48,032
54,780
18.3%
20.8%
40-49 55,838 21.2%
50-59 55,459 21.1%
Over 60 39,908 15.2%
Top 5 countries by the total number of cyber crime complaints received
Source: 2013 Internet Crime Report, FBI I3C

Page 9
Cyber threats in numbers!!
Motivations behind attacks
► The number of web-
► Most attacks in 2013-14 had both
web, and social engineering
based attacks in 2013
was increased by
30% 47% 46% Motivations components, but there was also a
behind attacks dramatic rise in politically motivated
DDoS attacks
► The number of phishing ► Mobile devices and mobile
sites spoofing social 125 applications
networking sites was 4% 3%
increased by % ► Hacktivism and cyber
protests
► Advanced Persistent threats
By 2013, cybercrime resulted in economic losses of
over 110 billion US dollars, with over 550 million 300 ► Lures
adults worldwide.
250 ► Social engineering
In financial terms, this is the equivalent of the entire 200 and social media
GDP of a country like Morocco, Slovakia or
Bangladesh. 150 ► Search engine
100 optimizing poisoning
In human terms, this is significantly greater than the
entire population of Europe 50
► Spam and spear
phishing
0
2000 2012 2015
Almost 50% of teenagers
► The World Economic Forum predicts 10% chance of a major * Source: The World Economic Forum, Internet Governance Forum,
aged 13-17 reported that they International Telecommunication Union, ITU-IMPACT, NATO
experienced cyberbullying infrastructure breakdown in the near future, which may cause Cooperative Cyber Defence Centre of Excellence, the US National Cyber
damage to global economy amounting to $250 billion! Security Alliance, Association of Certified Fraud Examiners (ACFE),
Symantec and Kaspersky Lab

Page 10
Awareness of Cyber threats propels improvement:
EY’s Global Information Security Survey (GISS), 2014
The leaps that organizations are making The steps that organizations still need to take

56% 53%
43%
respondents say that it is “unlikely”

35%
or “highly unlikely” that their of respondents cite a lack of skilled
organization would resources as a barrier to value creation
be able to detect a sophisticated
attack. of organizations indicate that
information security budgets are on the of respondents feel they are leaders or
rise pioneers in security programs

46%
of spend will be directed toward security
65%
46%
improvement, expansion and innovation in of respondents cite budget constraints as
the next 12 months their number one obstacle to delivering

62%
value to the business

of organizations align their information

security strategy to the organization’s
business strategy of organizations have not aligned their
information security strategy to their risk

68%
appetite or tolerance

of organizations say their information

security function partially meets
organizational needs
59%
of organizations cite an increase in
external threats

Page 11
The leaps that organizations are making

56% 43% 46%

respondents say that it is “unlikely” or “highly of organizations indicate that information security budgets are on the of spend will be directed toward security
unlikely” that their organization would be able to rise improvement, expansion and innovation in
detect a sophisticated attack. the next 12 months

46% 68% 56%

of organizations align their information of organizations say their information security function of organizations say that assessment of third
security strategy to the organization’s partially meets organizational needs parties is performed by information security,
business strategy IT risk, procurement or internal audit
function

Page 12
What can organizations do?

Identify the real risks Protect what matters the most

►Define ►Developa security strategy focused on business drivers and
the organization’s overall risk appetite and how information risk fits.
protecting high-value data.
►Identify the most important information and applications, where ►Assume breaches will occur — improve processes that plan,
they reside and who has or needs access. Enable protect, detect and respond.

►Assess the threat landscape and develop

► business performance ►Balance fundamentals with emerging threat
predictive models highlighting your real ► Make
management.
security everyone’s responsibility.
exposures. ► Don’t restrict newer technologies; use the forces of change to
enable them.
► Broaden the program to adopt enterprise-wide information risk
management concepts.
►Get governance right — make security a ►Align all aspects of security (information,
► Set security program goals and metrics that influence business
board-level priority. performance. privacy, physical and business continuity)
►Allow good security to drive compliance, not vice with the business.
versa.
►Spend wisely in controls and technology — invest more in
►Measure leading indicators to catch problems while they are still
small. people and processes.
►Accept manageable risks that improve performance. ►Consider selectively outsourcing operational security program areas.

Sustain an enterprise program Optimize for business performance

“The question is not can I be hacked, but can I be resilient?”
- CISO at a financial services company

Page 13
Data Privacy and
Regulations
Privacy: Key components

Privacy & PII (Personal Identifiable Information)

“Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personally identifiable
information.”

Personal Information is information that is, or can be, about or related to an identifiable individual.
Name Employment history Account numbers

Employee / 3rd party

Home or email address User access details Credit card / bank details

Customer
General

Organization details Compensation/remuneration related matters Tower operation details

staff
Physical characteristics Background investigation reports Key customers
Date of birth Landlord details Credit information
Invoice/Bidding details

Personal Information Life Cycle

Collection Use Sharing Disclosure Retention and Disposal

• Obtaining personal • Processing personal • Providing personal • Providing personal • Retaining personal
information from information for information to other information to third information as
internal or external various purposes. entities within the parties (e.g., needed and disposing
sources, or directly company. vendors). of it in a secure
from data subjects. manner when it is no
longer necessary or
as required by law.

Page 15
What could go wrong?

Considering what could go wrong is important for understanding what needs to be done to effectively manage and protect personal information. These
challenges are often tactical in nature and symptoms of broader issues.

Lost or stolen media e.g. back up tapes

Brand and
reputation
Over-sharing of personal information damage
Regulatory
action
Common Challenges

Misuse of critical data

Third party service provider control deficiency

Direct
financial
Web site leakage
Could loss

Hackers (inside and outside) result in

Unwanted marketing communications

Loss of customer
Fraudulent transactions and business

Social engineering, including phishing

Page 16
 Privacy regulations: a global perspective
Canada Federal / Provincial (PIPEDA, European Union (EU Data Protection Directive and Member
FOIPPA, PIPA) States Data Protection Laws)

Japan (Guidelines for the Protection of

Computer Processed Personal Data)
US Federal (GLBA, HIPPA,
COPPA, Do Not Call, Safe
Harbor Principles)
Hong Kong (Personal Data Privacy
Ordinance)

India (IT Act 2008)

Emerging : Privacy Philippines (Data Privacy law Proposed
Bill by ITECC)

South Africa (Electronic

Chile (Law for the Protection Communications and Transactions Australia (New South Wales and
of Private Life) Act) Queensland, New Email Spam and Privacy
Regulations)

Argentina (Personal Data Protection Law, Key Drivers for Privacy

Confidentiality of Information Law)
Increasing legislations in countries on privacy of customer financial ,medical data LEGEND
National privacy or data protection law
Required to build a value proposition for “trustworthy outsourcing” in place
Other significant privacy laws in place
Contracts and legally enforcing documents ensuring continued focus on privacy requirements
Emerging privacy or data protection
laws
Strategic driver in decision of outsourcing

Page 17
The privacy imperative

“Privacy encompasses the rights and obligations of individuals and organizations with respect to the collection, use, disclosure, and retention of personally identifiable
information”
-Generally Accepted Privacy Principles from AICPA

Regulations License < Privacy >

in India requirements policy

Emerging regulatory landscape

The telecom license in India
and the need to be compliant A need to comply with privacy
mandates maintenance of
(eg, Sec 43a – IT Act, new policy
“confidentiality” and “privacy”
privacy law imposing criminal
of customer data
liabilities on offenders)

Employee/ third Subscriber

party staff

A new privacy law will make

The personal information needs privacy a fundamental right;
to follow the required privacy also in present context a TRAI
guidelines and regulations license requirement. Issues in
MNP, International roaming

Page 18
There are four leading practices organizations can apply to improve its
privacy programs
Commitment from the top: Gain management Organizational alignment. As part of the strategy,
support to establish a charter and a long-term develop a formal governance and operating model,
strategy for privacy protection. align all aspects of privacy to the business and build
relationships across the enterprise.

1 2

4 3
Operational enablement: Allow good privacy People, processes and technology. Make business
governance to drive compliance, not the other way processes related to privacy agile. Consider new
around. technology choices in terms of their benefits as well as
the privacy risks they may pose.

Change the culture: Accountability for privacy needs to be everyone’s responsibility. Use the forces of change to enable the use of new
technologies with appropriate privacy protocols rather than banning them entirely

Page 19
Threats from third
party providers
Telecom Tower Industry: Can we live without partners….

Outsource In-house

Key components Key components

partners employees
e a m l e s
Network operations Business Strategy
s s
Information Technology Sales & marketing

Customer Service
operations Organization Legal & regulatory

Document management Supply chain

o
p s
Employee verification
e n Branding
r a t i o

What partners bring to the table

► Organization can focus on core competency ► Expertise in non-core competency areas
Partners also bring
► Reduce operation costs ► Increase productivity
]

RISK!!!!
► Distribution of risk ► Improve customer service

Page 21
Risks from third parties..

Data Security
Failure of vendor to appropriately manage information security / data Operational Risk
privacy controls, which may result in misappropriation of business Technology Risks The vendor(IT vendors, Finance Vendors etc.) may not have
information and customer data hired skilled staff or trained them adequately to execute work
leading to sub-standard delivery of services. Also, breach of
Availability controls at the vendor’s end may lead to business risk for the
The vendor’s architecture / dependence on a connectivity provider
may not offer sufficient redundancy or resilience in the event of
Process Risks organization.

individual component failure / link failure Contractual Non-compliance

The vendor may lack the adequate monitoring mechanisms to
detect and correct service “non- performance” and ensure
Business Risks consistent delivery of services

Delivery Risks Fraud

Scalability The vendor’s employees or service providers may perpetrate
Vendor may not be able to keep pace with growth of business and/or fraudulent activities resulting in service abuse.
usage spikes without service failures or performance degradation
Privacy
Manageability
Regulatory Risks The vendor may operate in a non-regulated environment and
The vendor may not be able to manage multiple clients due to may not have adequate measures to protect end user privacy.
infrastructure / resource constraints.
Reputation Risk
Damage to reputation or loss of clients due to poor customer
service, errors, or processing delays

Regulatory non-compliance Capital & Financing

Vendor may not have adequate mechanism/ controls to adhere The vendor may not have balance sheet strength. It may mean
to regulatory requirements such as ISO, PCI/DSS, COBIT, an inability to invest rapidly in infrastructure than anticipated
Data Protection Act, etc.

Page 22
The outsourcing landscape

Trends in outsourcing
• Critical and complex processes are being outsourced
• New models for outsourcing have emerged
• Increased focus on legal & regulatory compliance
More focus on
operational
Increased risks
capital market
Internal barriers concerns
on outsourcing
New
regulatory
measures
Imperatives for outsourcers
• Effective audit & monitoring procedures
• Defined service level management process
• On-going regulatory compliance

Third Party Management

Page 23
Drivers for third party risk management

Vendor sourcing decisions that overlook key risks

Vendor sourcing decisions that overlook key risks

Incomplete population of vendors with sensitive data

Incomplete population of vendors with sensitive data
Inconsistent risk assessment and review practices across
organization

Inconsistent risk assessment and review practices across

organization

Types of compliance monitoring process in use Types of third parties representing the biggest compliance risk

Approved Supplier database 37% Vendor/Supplier

A prty that supplies goods and services to
your company
Background Checking System 38% 12%
Distributor
Use external provider to run checks 28% A firm which sells and delivers your
products/servicesto your customersor acts

Check on ownership of third party 29% 22% as an intermediary in business

Agent
57% An individiual or firm authorized to act on
Use software/technology based of third party 22% your company's behalf

Audit rights/regular audits of third party 23% 9% Joint venture partner

A contractual party for the prpose of
ececuting a part of your company's
None/no processes at all 26% business

Other 18%

Q: Thinking about third parties that your organization uses, what systems or processes do you have in place to manage and monitor those relationships? Q: Which type of third parties represents the biggest compliance risk to your
company?

Page 24
Bring Your Own
(Device)
Why organizations are leveraging on mobile computing today

Key Drivers of BYO(D)

1. Improving productivity 2. Enabling employees 3. Enabling new business

Improving employee productivity by Enabling employees via new or more Targeting new markets or offering
extending reach of existing apps, efficient business processes, clients new products/services

Transform infrastructure by changing Arming your people with the best tools to Deliver a new service, or existing
application delivery method. increase productivity. service to a new market.

Page 26
The future mobile workplace will be driven by an empowered employee

Work will be done by open, interconnected, global communities where knowledge is collective and
accessible

The workforce will be more mobile, flexible, agile, and adaptable to the changing business needs

The tools of work will be easy to use, seamless and always available

The old world: The new world:

Corporate owned device Personal-owned device interfacing

with corporate devices

B Y O (D)
Page 27
Challenges or barriers facing BYOD deployment

Mobile device security 65%

Data breach security 59%

The top concerns
for BYOD are
Mobile data security 55% related to security.

Mobile application security 50%

Integration with back-end corporate systems 26%

Controlling employee use of mobile apps 25%

Executive sponsorship 22%

Cost of help desk support 18%

Country-specific regulations 17%

Expense of implementing applications 17% While there are various

costs incurred on BYOD,
Industry-specific regulatory requirements 15% they are not seen as major
barriers for deployment.
ROI for BYOD 15%

Cost of training 9%

Mobile app development costs 7%

Source: Forrester, Key strategies to capture and measure the value of consumerization of IT, July 2012

Page 28
Risks in adoption of BYO(D)
Device
Jailbreak or rooting
s Privacy legislation Cloud
NFC/Bluetooth exploits
Industry regulations Service
Theft and Data Extraction

Social Engineering

Malware Unencrypted data in transit Third party data leakage

App
s Data Leakage
Insecure service
Unencrypted Local Storage configuration
External
Application Vulnerabilities

Internal

Unsecure MDM Configuration

Insecure Services
Application Vulnerabilities

Mobile Device Enterprise Mobile Private Cloud /

Management Applications Services

Page 29
Suggestive Solutions

Area Goal

Documentation, approval and roll out of a mobile device security

1 Securing mobile devices
policy

2 Mobile device management Deployment of a Mobile Device Management(MDM) solution

Minimize risk of malware and insecure mobile apps affecting the

3 Addressing application risk
organization’s data

Managing the mobile Address risk tied to enrollment, deprovisioning, patching and
4 environment monitoring

Page 30
Internet of Things
(IoT)
What is the Internet of Things?

The Internet of Things, also called The

Internet of Objects, refers to a wireless
network between objects, usually the
network will be wireless and self-
configuring, such as household appliances

By embedding short-range mobile

transceivers into a wide array of additional
gadgets and everyday items, enabling new
forms of communication between people and
things, and between things themselves.

Page 32
Internet usage and population statistics

World
6.3 billion 6.8 billion 7.2 billion 7.6 billion
Population
Connected
500 million 12.5 billion 25 billion 50 billion
Devices

More
Connected connected
devices than
Devices per 0.08 people 1.84 3.47 6.58
person
2003 2010 2015 2020

Source: Cisco IBSG. April 2013

Page 33
How will it affect your life

These things are starting talking to each other and

develop their own intelligence. Imagine a Your meeting was pushed back 45 minutes
scenario where

Your car knows it will need fuel to make it to the

train station. Fill ups usually take 5 minutes

This is communicated to your

alarm clock which allows you
5 extra minutes of sleep
There was an accident on your driving route
causing a 15 minute detour

Your train is running 15 minutes behind schedule

And signals your car to start in 5 minutes to beat And signals your coffee maker to turn on 5
the dew accumulated on your battery due to minutes late as well
overnight fog

Page 34
Why internet of things

Dynamic control of
industry and daily
life
Nanotechnology, product sensors,
sensor-driven analytics, and Accessibility & Improve the
resource utilization
sophisticated tracking capabilities Usability
ratio
— the Internet of Things holds
huge promise for organizations.
Better relationship
Universal transport between manual
Organizations need to balance the & internetworking workforce and
machines
opportunities against the privacy
that consumers innately expect
Flexible Forming an
configuration intellectual entity by
integrating human
society and physical
systems

Page 35
Seven IoT risks organizations must consider

The Internet of Things

RAPID has great potential for
DEMAND IN the con-sumer as well
BANDWIDTH as for enterprises, but
REQUIREMENT not without risk.
UNDERSTANDIN
MODULAR
G THE
HARDWARE AND Information security
COMPLEXITY OF
SOFTWARE organizations must
VULNERABILITI begin preparations to
COMPONENTS
The Internet of Things is ES transition from securing
growing fast, and so are DISRUPTION
PCs, servers, mobile
AND DENIAL- devices and traditional
the risks. Here are seven
OF-SERVICE IT infrastructure, to
risks that must be taken ATTACKS
into account when managing a much
FULFILLING THE broader set of
planning at IoT policy NEED FOR IoT interconnected items
SECURITY VULNERABILITY incorporating wearable
ANALYTICS MANAGEMENT devices, sensors and
CAPABILITIES technology we can’t
IDENTIFYING, even foresee currently.
IMPLEMENTIN
G SECURITY
CONTROLS

Page 36
Employee Engagement
Why is employee engagement important

The Team Performance Curve illustrates the various degrees of Benefits of an Effective Team
teamwork to which a group can aspire.

► Better outputs
High Performance ► Tasks accomplished faster
► Healthy competition
Team Impact

► Skills and knowledge gained from one

Real Team
other
► Relations among employees improved
Potential Team ► Additional support
Working Group ► Cushion so work won’t suffer if one
person leaves

Pseudo
Team

Team Effectiveness

Page 38
Employee Engagement for Information Security

Training Program Awareness Program Meetings and Discussions

Get information on
specific topics. This can 1. Meetings and insights
be achieved through
online modules on 1. Newsletters
information security Initiation Session

Maintaining skills
and acquire specific 2. Workshops on Information
skills. This can be done security
2. Screensavers and
through class room wallpapers
sessions or discussions Continuous Education

3. Rewards and recognition

for contribution and
3. Posters participation in
Acquire general skills. information security
This can be done at the events
time of employee on- Basic Training
bording
4. Mailers

With the rising level of security breaches, it is more critical than ever
that organizations raise security awareness by turning users into their 5. Information security Quiz
first line of defence.  

Page 39
Cloud Security
Typical cloud computing implementation models

Public cloud Private cloud

Cloud service
consumer
Cloud service provider Cloud service consumer
Cloud service provider

Cloud Consumer Cloud Consumer

Control owner Control owner

Community cloud Hybrid cloud

3
Public
cloud
Community cloud

Cloud service provider

Cloud service consumer Cloud service consumer

Cloud Consumer Cloud ? Consumer

Control owner Control owner TBD

Page 41
Cloud adoption is on the rise and is becoming more critical for business

Does your organization currently

► There has been a dramatic increase in cloud adoption over the last use cloud-based services?
two years.
► Cloud is accelerating the digital transformation currently 2010
underway.
► Users continue to bypass in-house IT when adopting cloud
solutions.
30%
of respondents say they are
2011
► Since cloud solutions have been mostly implemented as point
solutions, integrating these is quickly becoming a priority.
currently using or planned to use
cloud computing services 44%
of respondents say they are
currently using or planned to use
► Organizations are beginning to understand that the “hybrid cloud cloud computing services

model” is the preferred method of service delivery in many

situations.
2012
2014
However, a hybrid model introduces complexity and risk if not
59%
►
assessed and fully understood.
► Companies are weighing the value, cost and risk of cloud
of respondents say they are
currently using or planned to use
cloud computing services
68%of respondents say they are
solutions rather than building new environments in-house. currently using or planned to use
cloud computing services

Page 42 Source: EY Global Information Security Survey (GISS) 2014

With every wave of adoption, there are unique set of challenges

Point solutions Hybrid solutions Cloud-first solutions

The market is here

Wave 1: Adoption of Wave 2: Integration Wave 3: Migration of legacy

commodity systems and securing systems to the cloud
cloud systems

Wave 1 challenges faced: Wave 2 challenges faced: Wave 3 challenges faced:

► Cloud strategy development ► Cloud governance ► Vertical platform as a service (PaaS) solutions
► Software as a service (SaaS) implementation ► IT operating model evolution ► Identity and access management
► Infrastructure as a service (IaaS) ► Hybrid architectures ► Business continuity management
implementation ► SaaS integration ► Service management integration
► Cloud security ► IT as a Service (ITaaS)
► Data center evolution

Page 43
 Does cloud create a better, stronger fortress or easier access to the crown
jewels?

Our research indicates that cloud solutions are more

likely to be the target of cyber attacks.

Failed Financial data

attack
Customer info
Pricing, costing data

SSN, PHI, PII Proprietary

Trade secrets
data* data/processes
Successful attack
Strategic R&D data
information Legal actions

Cloud providers consistently invest in enhancing the security controls of

their solutions.
* Social security number, personal health information, personally
identifiable information

Page 44
Typical cloud computing components & threats

► Sniffing ► Weak API’s for external application connectivity

of subscriber content while it is being
► Hypervisor jump
synced between multiple devices
► Lack of 2-factor authentication for account access

► Directory traversal
► Parameter tampering
► XSS
► SQL Injection
► Usage of clear text protocol ► Identity spoofing
► Inadequate error handling ► Unknown services ► Clear text storage of user credentials
running on the ► Unhardened DB server
underlying OS ► Weak authentication mechanism for
DBA user
► Backend access to customer data
► Unrestricted remote access to DB using
SQL clients

► Insecure underlying OS ► Data is sniffed during transit

► Usage of SNMP for server monitoring ► Remote administration of cloud server undertaken over VNC
► Usage of generic user ID for server
administration

Page 45
Cloud computing security considerations

Typical areas under consideration

Privileged user access Who will have access to customer data? What controls are in place to restrict this access?

How will using the cloud affect the ability to comply with regulatory requirements? Is there a independent third party
Regulatory compliance
audit or certification conducted?

Data location and Where will the data be stored? Will it be replicated out of the country?
ownership Can the customer restrict where the data is stored? Who owns the data once it is in the cloud?

How can the provider demonstrate that its other customers cannot “see” the user’s data? What kind of encryption is in
Data segregation
place? How are the keys managed?

What happens to the user data in the event of a disaster? Is it backed up or replicated somewhere else? How are backups
Recovery
accessed? How long does it take to restore the user data?

Investigative support If there is any kind of legal investigation, can the provider give me the investigation agencies the data support needed?

Notification of If law enforcement asks the provider for user data, does the provider have an obligation to notify the user? What if it is
third-party data requests instructed not to?

Page 46
Social Media
Management
Organizations today are using social media to engage customers and
drive key business objectives
How are companies using social technology to drive business? How are companies using social technology to engage with
customers?

Transforming customer experience 44 37 Enable customers to give purchase advice 27 52

Driving conversations 56 20 Enable customers to support other customers 41 30

Drive business impact 61 27 Enable customers to share ideas 59 27

Connect with customers 93 Engage with loyal customers 68 15

Source: Telesperience 2013

Using Plan to use Using Plan to use

Page 48
 The premise of Digital and Social Media brings with it both
opportunities and risks...
Risks
Nearly 40% of respondents to the 2011 Global Information
Security Survey rated social media-related risks and issues as
challenging.
Social
Privacy Engineering
► Leaking of sensitive information ― Employees involved in
Regulations
Strategic social media inadvertently leak sensitive company information
Risks regarding
Social Media Operational
Risks regarding
► Social engineering ― Criminal hackers “re-engineer”
Reputational
Compliance
Risks
Social Media confidential information (logins or passwords) based on
Risks
Security
information obtained from employee posts, resulting in security
Digital and vulnerabilities
External Social
Media in
Internal ► Misuse of social applications ― Inappropriate utilization of
view view
the social applications using company resources
Branding and Innovation and enterprise
Marketing Crowd Sourcing
Internal Trainings ► Loss of revenue ― Breaches in company information result in
lost revenue potential
Internal
CRM
Customer Communication Internal Knowledge ► Brand/reputation damage ― Damage to a brand or company
Relations Sharing
reputation from negative, embarrassing or even incriminating
Customer
Feedbacks
Social Media for employee or customer posts, even those that are well-intended
Recruiting
► Breach of compliance ― More platforms create more access
for viruses, malware, cross-site scripting and phishing

Opportunities

Page 49
Social media program development solution
Step Scope Output

Strategy and ► Understand digital footprint and assess risks

► Align governance of social media with existing governance mechanisms ► Risk assessment
1 Governance ► Current state maturity

► Develop the policies and procedures to cover the following areas: ► Execution of the Social Media
 Employee personal use of social media in the workplace

strategy through the delivery of
Policies & Processes Employee use of social media for business purposes
2  Management procedures for company accounts on social media sites Social Media policies and
 Use of company owned mobile devices for accessing social media procedures

► Update security training and awareness programs to include topics related to ► Implementation of socila media user
social media awareness and training
3 People
► Assign responsibility for execution of social-media-related policies is defined

► Include incident response for social media risks in the information security response ► Data breach incident handling
Technology procedures
4 plan

► Monitor compliance of policies and procedures ► Ensure social media effort is on track,
Social Media ► Track performance against KPIs addressing risks and aligned with
5 Monitoring strategic goals.

Page 50
Section 2 Cyber Security Solutions
 Emerging solutions for Cyber security
Contents
1 Data leakage prevention (DLP)
2 Identity and Access Management (IDAM)
3 Mobile device Management (MDM)
4 Privilege Identity Management(PIM)
5 Security Information and Event Management(SIEM)
6 Open Web Application Security Project (OWASP)
Data Leakage
Prevention (DLP)
What is Data Leakage Prevention (DLP)?

Data Leakage Prevention (DLP)

solutions are intended to detect and
prevent the unauthorized use and
transmission of sensitive
information

DLP solutions identify, monitor,

and protect data in use (e.g.,
desktop, laptop), data in motion
(e.g., network actions), and data at
rest (e.g., databases, file shares)

Page 54
Data loss scenarios

Sample data loss scenarios Potential risks of data leakage

Brand
1 4 damage and
Loss or theft of laptops or Theft of company loss
mobile devices confidential data More cost
of reputation Loosing
and effort
competitive
for
advantage
notification

2 5 Legal Risks for

Loss
Unauthorized transfer of Lack of content awareness and actions – organizati of customers
data to portable media incident response process litigation
on

Regulatory Loss of
actions or shareholder
sanctions Fines and value
3 6
Unable to locate and Access to sensitive data by civil
protect sensitive data unauthorized users penalties

Page 55
Data life cycle

Data Life Cycle Data / Information forms

Data/Information
define & design
Tangible
Electronic
Documents
dispose

Other media
Unstructured

Database
Structured

Email
Web
Storage Locations

Page 56
Data Leakage Prevention Program

A Data Leakage Prevention Program must include all domains of People, Process & Technology to effectively prevent the
leakage of Data

► For a Data Leakage Prevention Program to be Rules

effective, a top down approach must be applied to Governance
Training
holistically address the problem of Data Leakage Communication People
► Governance must be established; roles &
responsibilities defined to effectively manage and Policies
Procedures
maintain the Program Access control
► All supporting IT processes must be enhanced based Endpoint security
Data Classification
upon gaps uncovered by a comprehensive Data Incident Response
Process
Leakage Risk assessment Auditing and Monitoring

► Technology solutions must be adopted to cover all 3

domains, to effectively monitor, prevent and respond Network based
to any potential Data Leakage Agent Based

Technology

Page 57
How should data leakage prevention program be implemented?

Data leakage prevention program lifecycle Data Leakage Prevention Process

DLP Triggers Critical Processes & Data Vendor Evaluation / Pilot
Senior Management Buy-In / Executive Sponsorship

Enabling Tools / Technology

Business Drivers Governance
Data sets

Data Classification
Scope Auditing & Monitoring

Criticality & Sensitivity

Information Security (Inside & Data Leakage
Outsiders) Prevention
Program Monitored Processes /
Applications
Regulatory Data Leakage Information Systems /
Requirements Prevention Data
Assessment (Use Security /
Legal & Privacy Case and Operational Education & Awareness
Requirements Information Systems Controls) Requirements
Communication

Business Continuity Data Leakage Prevention Policies & Procedures

Supporting Infra

Data Protection Policies & Procedures

Asset / Data Management

Data governance

Page 58
Data protection control model

Data Governance
Policies and standards Identification Risk assessment Classification Architecture Quality

Data protection controls

Structured data
Data In Motion Data In Use Data at Rest
Perimeter security Privileged user monitoring Encryption
Focus areas

Network traffic monitoring/blocking Workstation restrictions Obfuscation/tokenization

Web content filtering Application controls Mobile device protection

Data collection and exchange Data labelling/tagging Network/server repository control

Messaging (Email, IM) Removable/external media control Physical media control

Remote access Export/clipboard/print control Archive, disposal and destruction

Unstructured data

Supporting information security processes

Page 59
Identity and Access
Management
Identity and access management (IDAM) explained

Identity and access management (IDAM) is the discipline for managing access to enterprise resources. It is foundational element of
any information security program. IAM can be described by defining its core components –

Identity management : The processes and technologies collectively used to Access management: The processes and technologies collectively used
manage the life cycle of digital identities (profiles) for people, systems, and to manage who has access to what specific resources. Access
services. Identity management typically includes: management typically includes:

► Unique identities
Capability to request
and
specific entitlements
authentication
► Auditing and Identifying and and/or roles Workflow processes
credentials
reporting of user preventing for approving the
► Provisioning new
identity inappropriate granting of
user accounts
information. combinations of entitlements and/or
Identity access. Access roles to a user

Management Management
► Ability to modify, ► Managing Ability to review, Ability to modify or
suspend, or identity data and remove, approve, and remove the
remove accounts credentials certify the entitlements entitlements
Managing the
association of
entitlements to roles

Page 61
 IDAM Life Cycle and Framework

Identity profile Provisioning and

management workflow
Privileged access
Unique ID generation management
Credential management Request
Authoritative
source data Role management
management Approve
Fine-grained access
policy administration

Provision
Access and review Shared authentication service
certification
Single sign-on Maintain
Policy compliance
monitoring Identity federation

• Role and definition Review

Fine-grained access
certification policy enforcement

Terminate
Privileged access Log consolidation and analysis
monitoring
► Security Information and
Reporting
Event Management (SIEM)

Page 62
IDAM – Logical Representation

Enterprise Directory

PROGRAM A
User Metrics Report

Resources
Requester Windows
HR System
Database
System & Event
Mail
Monitoring
Affiliates/Sponsers VPN/ Server

Profile Management

Request Access
IDM
People Search Role Assignment Access Review &
User Certification
Provisioning Engine
Role Engine Log storage & Correlation &
Configure
Access Policy consolidation Reports
Troubleshoot
System Admin
Federated IDs
ID Audit

Reports Internet Disaster Recovery Site

Auditor

Page 63
Evolution of IAM
Moving beyond compliance
IAM 1.0 – the past IAM 2.0 – the present IAM 3.0 – the future
►Project-based deployment ►Program-based deployment ►Enterprise-based deployment
►Compliance driven approach ►Risk driven approach ►Capability driven approach
►Provisioning focused ►Entitlement management focused ►Business enablement driven
►Individual employee identity ►All user identity management (e.g. ►High benefits realized vs. cost
management employees, contractors, system accounts) ►High business value beyond
►High cost vs. benefits realized ►High compliance value compliance
►Limited compliance value ►High compliance cost ►Central view of access by technology
►Limited view of enterprise access ►Moderate benefits realized vs. cost ►Strong technology adoption
►Poor application adoption ►Central view of access
►Increased application adoption

Page 64
Mobile Device
Management
Mobile Device Management– Existing Vulnerabilities

No Mobile Device Mobile Tracking

No encryption on data
Management Policy

Insecure Transmission Compromise in confidentiality

may lead to legal / Regulatory
penalty
Page 66
Mobile Device Management– goals for the mobile security program

Mobile device management (MDM) is an industry term for the administration of mobile devices, such as smartphones, tablet computers, laptops and desktop computers. MDM
is usually implemented with the use of a third party product that has management features for particular vendors of mobile devices. MDM tools are leveraged for both company-
owned and employee-owned (BYOD) devices across the enterprise or mobile devices owned by consumers

Goal: Protect access if lost Goal: Protect data if lost

► Screen lock ► Incident response
► Password complexity ► Secure wipe policies on devices
► Encryption ► Policies and procedures
► Patch management ► Security awareness
► Two-factor authentication and use of Virtual Private Network (“VPN”) ► Encryption
capabilities ► Limit the types of data and applications available to mobile devices
► Security awareness
► Backup Mobile device
security goals
and concepts
► Risk assessments ► Risk assessments
► Threat modeling ► Threat modeling
► Emerging threat monitoring ► Incident response
► Patch management ► Policies and procedures
► Network monitoring and log management ► Vulnerability management
► Application monitoring ► Security awareness for IT operations
► Security assessments and attack and penetration
Goal: Limit exposure to new vulnerabilities Goal: Effectively handle incidents and threats

Page 67
Mobile Device Management– Architecture Diagram

User Authentication

Active Directory Device Control

Management
Remote Control

Device Control
MDM System

App delivery Authentication

Policy Setting

URL Filtering

User Management App Management

Device Info Containerization Remote Control

App Delivery

Intranet / Internet 3G/ Wi-Fi / LTE

Information Acquisition

Management Instruction

End Users

Page 68
Mobile Device Management Framework

Focus area Basic Evolving Established Advanced Leading

Mobile security is not included in the existing employee security Mobile security is fully integrated in existing employee security awareness
Security awareness     
awareness programs programs
Currently there are no IT policies that IT policies have been implemented to govern usage and validate employees’
Policy     
govern mobile security issues understanding
No threat modeling is performed when Threat modeling procedures are performed prior to moving applications to a
Threat modeling     
moving applications to a mobile platform mobile platform
Training offered to application developers includes secure coding practices for
Developer training No secure coding training is offered to developers     
mobile device platforms
There are currently no limits on the types of data transferred to Sensitive data transferred to mobile devices is limited, and the use of view-only
Data     
mobile devices access is used where possible

Mobile device management software is used

No mobile device management software to create an encrypted password-protected sandbox for sensitive data and
Management tools     
is used enforce
device-side technical policies

Technical security assessments are not performed on mobile Technical security assessments are performed on a regular basis for mobile
Assessments     
devices and the supporting infrastructure applications, devices and the supporting infrastructure
A formal program has been established that continually evaluates new and
New and emerging threats in mobile
Emerging Threats      emerging threats
platforms are not evaluated
in mobile platforms

Employee owned mobile devices are not allowed to connect to the Policies and technologies are in place to provide for the secure connection of
Bring your own device     
corporate assets multi platform employee owned mobile devices to corporate assets

Mobile security considerations are not included in the corporate Mobile security considerations are fully integrated into the corporate incident
Incident response     
incident response plans response plans
There is no monitoring of controls around mobile device Monitoring of controls around mobile device connection points is performed on
Monitoring     
connection points a regular basis

Page 69
Mobile Device Management (MDM) is a first step for risk mitigation in
diverse mobile deployments
With MDM Without MDM
► Limited security controls ► Consistent controls
► Inability to securely wipe devices ► Secure, confirmed remote wipe
► No application management ► Compartmentalization and app
► No way to restrict devices management
based on security settings
► Restrict based on policy
► Hard to control enrollment
► Control enrollment and deprovisioning
Benefits of MDM

► Limited manageability ► Better manageability

► Difficult to manage devices ► Easier to manage and support diverse
► Little or no control over device status devices
► Doesn’t scale ► Better control over device status
► Scales to many types of devices

Page 70
Privilege Identity
Management(PIM)
Privileged Identity Management (PIM) – An introduction

Privileged Identity Management (PIM) is the discipline for managing human or machine accounts which have elevated levels of entitlement to
platform, system or application resources. It is frequently used as an Information Security and governance tool to help companies in meeting
compliance regulations and to prevent internal data breaches through the use of privileged accounts

Privileged accounts are any type of account that holds special or elevated permissions within enterprise systems. This typically includes the following:

Administrative Accounts
Users with near or complete control of a system, who
are authorized to set up and administer user accounts,
identifiers, and authentication information, or are
authorized to assign or change other users' access to
system resources.

Privileged Personal Accounts Application Accounts

These are the powerful accounts that are used by Accounts used by applications to access
business users and IT personnel. These accounts databases and other applications often use
have a high level of privilege and their use (or hardcoded application user ID and password
misuse) can significantly affect the organization’s combinations in scripts and ODBC connection
business. Examples include DBA and IT support strings. Typically these accounts have broad
users personal accounts. access to other sensitive information within data
repositories.

Page 72
Privileged Identity Management (PIM) Lifecycle

Access includes the process of centrally provisioning role-based time-bound credentials for privileged access to IT assets to facilitate administrative tasks. The process also
includes automation for approval of access requests and auditing of access logs. The lifecycle of PIM is depicted below:

Control includes the process of centrally managing role-based permissions for tasks that can be conducted Privileged Identity
by administrators once granted access to a privileged IT resource. The process also includes automation Management – Next Steps
for approval of permission requests and auditing of administrative actions conducted on the system.
► Implement a Privileged
Identity Management (PIM)
Solution

Remediation includes the ► Integrate the PIM solution

process of refining previously into the Identity and
assigned permissions for Monitor includes audit Access Management User
access and/or control to meet management of Lifecycle Management
security or compliance logging, recording and
objectives, and the capability overseeing user
to centrally roll back system activities. This process ► Enhance logging of
configuration to a previous also includes privileged password and
known acceptable state if automated workflows account activity and use.
required. Automation of the PIM for event and I/O log
privileged access reviews and
management lifecycle acknowledgements ► Implement advanced
includes a central unifying and centralized audit logging to include
policy platform coupled with trails for streamlined behavioural analytics of
an event review engine that user actions
audit support and
provides controls for and heightened security
► Integrate analytics output
visibility into each stage of awareness.
to improve audit and
the lifecycle.
compliance reporting

Page 73
Business drivers for Privileged Identity Management (PIM) ?

Unmanaged privileged identities can be exploited by both insiders and external attackers. If they are not monitored, held accountable, and actively controlled, malicious insiders,
including system administrators, can steal sensitive information or cause significant damage to systems

Factors propelling the adoption of privileged identity

► Control Insider
management solutions across all industries:
Threats
► High administrative costs due to account maintenance,
password resets, inconsistent information
► Reduce ► Mitigate
Complexity Hackers
► Inflexible information technology (IT) environments
with multiple applications on multiple platforms

Business Drivers ► Aging IT infrastructures

► Organizations have large numbers of internal and

► Mitigate ► Improve IT Staff external users accessing an increasing number of
Compliance Risks Efficiency) applications, with each user requiring a different level of
security and control requirements.

► Mitigate
Malware

Page 74
Security Information and
Event Management(SIEM)
SIEM – an introduction

Security Information and Event Management / SIEM solutions are a combination of the former categories of SIM (security information
management) and SEM (security event manager). SIEM technology provides real-time analysis of security alerts generated by network
hardware and applications.

Log Collection Real Time Alerting

Log Analysis User Activity Monitoring

Event Correlation Dashboards

Log Forensics

IT Compliance
SIEM Reporting

File Integrity Monitoring

Application Log Monitoring System and Device Log Monitoring

Object Access Auditing Log Retention

Page 76
Typical working of a SIEM solution and its deployment options

SIEM Working

Self-Hosted,
MSSP-Managed

Hybrid-Model, Self-Hosted,
Jointly-Managed Jointly-Managed

Self-Hosted, Self-
Managed

SIEM Cloud, Self- Cloud, MSSP-

Managed Managed

Cloud, Jointly-
Managed

Page 77
 SIEM capabilities

SIEM Capabilities
the audit
Preparing for

Data
Alerting Compliance Retention
Aggregation Correlation Dashboards

looks for common attributes, and

SIEM tools take event data
SIEM solutions aggregate data from links events together into SIEM solutions employ long-term
and turn it into SIEM applications can be employed
many sources, including network, meaningful bundles. This The automated analysis of storage of historical data to
informational charts to to automate the gathering of
security, servers, databases, technology provides the ability to correlated events and production of facilitate correlation of data over
assist in seeing patterns, or compliance data, producing reports
applications, providing the ability to perform a variety of correlation alerts, to notify recipients of time, and to provide the retention
identifying activity that is that adapt to existing security,
consolidate monitored data to help techniques to integrate different immediate issues necessary for compliance
not forming a standard governance and auditing processes. 
avoid missing crucial events.  sources, in order to turn data into requirements.
pattern
useful information. 

Page 78
Open Web Application
Security Project (OWASP)
OWASP – an introduction

OWASP Top 10
The Open Web Application Security Project
(OWASP) is dedicated to finding and fighting the
A1: Cross Side A3: Malicious File
causes of insecure software. The OWASP Scripting
A2: Injection Flaws
Execution
Foundation is a 501c3 not-for-profit charitable
organization that ensures the ongoing availability
and support for our work.
► Participation in OWASP is free and open to all.
A6: Information
A5: Cross Side
A4: Insecure Direct Leakage and
Request Forgery
► Everything here is free and open source. Object Reference Improper Error
(CSRF)
Handling
► Main objectives: producing tools, standards and
documentations related to Web Application
Security. A7: Broken
A8: Insecure
Authentication and A9: Insecure
► Thousands active members, 130+ local chapters Session
Cryptographic
Communications
in the world Storage
Management

A10: Failure to
restrict URL access

Page 80
The ten commandments of OWASP

The following outlines the key criteria assessed as part of a web application test under the OWASP approach. The following
ten items are considered to be high risk areas for web application assessments.

Injection flaws such as SQL, OS and LDAP injection occur

Security depends on having a secure configuration defined
A1 when untrusted data is sent to an interpreter as part of A6
for the application, All these should be in place.
command.

XSS flaws occur whenever an application takes untrusted Applications need to perform URL checks when pages are
A2 A7
data and sends it to a web browser without proper validation accessed.

Application functions related to authentication and session Web applications frequently redirect and forward users to
A3 management are often not implemented correctly, allowing A8 other pages. Without proper validation attackers can
attackers to compromise redirect to phishing websites

Direct object reference occurs when a developer exposes a Processing of SPI data shall be done using cryptographic
A4 A9
reference to an internal implementation object techniques by web applications

CSRF attack forces a logged-on victim’s browser to send a Applications frequently fail to encrypt network traffic,
A5 A10
forged HTTP request to a vulnerable web application. when it is necessary to protect sensitive communications.

Page 81
OWASP benefits

But there’s additional value that the OWASP Top 10 2013 brings to the table that you may not have thought about. The OWASP Top 10 is a
free and continually evolving resource that can be

►
► Shared with both in-house and ► Implemented as a standard ► A source for measuring ► Used to build ► Safe and sound web
outside developers for that auditors will recognize web-related risks specific your information security interfacing application
software security training.
and appreciate to your environment credibility environment

Page 82
 Thank You

Presentation title