Upload
dhanoj6522
View
217
Download
0
Embed Size (px)
Citation preview
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 1/21
Nepal etc. These things aresome way connected and
affected to all of us. They arealso making us think thatnothing is perpetual andchange is constant. Alwayslook and embrace thechange, tune to and with itand the world would be abetter place to live.Talking about change, oneshould not expect others tochange and not themselves,David Brin has commentedbeautifully in relation withsecurity – “When it comes to
privacy and accountability,
people always demand the
former for themselves and thelatter for everyone else.” I guess time has come tochange the mindset in theever changing world of “The
Internet of Things”.
“It used to be
expensive to
make thingspublic and
cheap to makethem private.
Now it’s expensive to make
things private and cheap tomake them public .” ClayShirky, Noted internetscholar and Professor fromNew York University hassaid this. This is whathappening in today‟s world.More and more personaland private information isbeing shared over internetand users are not takingenough measures inprotecting it. Theinformation being availableso easily that anyone can findout about other person‟sdetails on where he wasborn, his birthday, schooland college attended, jobsand companies joined andleft, likes and dislikes etcwithout aware that this datacan be used whenever andwherever and without theirknowledge.This is the power ofconnectivity in today‟s worldthanks to a phenomenoncalled Internet which startedmore than three decadesago. No one really thoughtthe power of Internet thenand even now. ISACA
Mumbai Chapter is takingprecisely this theme “The
Internet of Things” for its 19th Annual conference which is
being scheduled on August 1and 2, 2015 in Hotel WestinGarden City, Goregaon. Theconference will bringSecurity professionals,Auditors, Consultantstogether to listen to somegreat speakers from industrytalking about various aspectsof “The Internet of things” orshould it be called “TheInternet of Everything” Lookforward to see you there.The chapter‟s new office isnow fully functional. Wehave conducted andcompleted first CISA ReviewCourse in the new premisesalong with mock tests. AlsoCISM Review Course hasalso been completed. COBIT5 Foundation and PCI DSSVer 3.0 workshop have alsobeen conducted during lastquarter. All the courses andworkshops were appreciatedby the attended participants.Various speakers havegraced the Saturday Chaptermeetings in the premises forthe chapter members. Weare now looking forconducting more and moremeetings and workshops forthe benefit of the membersin the coming days.Lot of things are happeningin the outside world.
Historic Iran nuclear signoff,Greek Bailout, Earthquake in
Message From The President
isaca @ mumbaiE - J O U R N A L ( F O R I N T E R N A L C I R C U L A T I O N O N L Y )
V O L U M E 2 , I S S U E 3
INSIDE THIS
EDITION
Message From The
President
From The Editor’s
Desk
Get Connected ToISACA Mumbai
Chapter
News Update
Interlude
Corporate Espionage – the insider threat
Social Media Usage InThe Enterprise
Vendor riskassessment
SecurityConsiderations while
Procuring BYODSolutions for Mobile
Phone/Tablets
ISACA Conference
Photo Gallery
Solution To LastEdition’s Crossword
Puzzle
Crossword Puzzle
-Vaibhav Patkar
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 2/21
I S A C A @ M U M B A I
by a work shop on 31st July. As per the
ISACA IT Risk/Reward Barometer 2014
survey 43% believe IOT is likely to be
one of the major thrust area and
impactful from a future business plan
perspective. 60% believe that Bring your
own wearable or Bring your own
Device (BYOD) is risky. The
conference has received a good
response and seats are getting filled up
fast. Wish all the members happy three
days of networking.
For any feedback/articles/criticism/
suggestions, please leave a message to
This may be probably
my last editorial this
financial year. We are
in the midst of times
wherein every other
day we read of a hack /data breach.
Thus data protection has become one
of the key concern area to most
companies. Corporate world is
gearing up to face this challenge of
protecting their data.
People post pictures of themselves
and their friends wherever they are
with the different location. “Selfies”
have become so popular and the
Profile picture are being changed by
individuals on a daily basis. Is your
picture posted on Facebook or
WhatsApp safe? Once you post it, it
is in the server of Facebook or
WhatsApp? Whom does it belong to
now? You? Where is the Server
hosted? Which country does it
belong? So many questions? No real
answers. These questions perhaps
may be answered in the ensuring
ISACA Mumbai Chapter Conference.
Interestingly the key theme of ISACA
Mumbai Chapter‟s Annual
Conference scheduled on August 1st
and August 2nd is “IOT” – Internet of
Things”. The conference is preceded
-Latha SunderkrishnaneJournal Editor, ISACA Mumbai Chapter
From the Editor’s Desk
News Update from the Editor’s Desk Logjam – This New Encryption Glitch Puts Internet Users at Risk
After HeartBleed, POODLE and FREAK encryption flaws, a new encryption attack has been emerged over the Internet that allowsattackers to read and modify the sensitive data passing through encrypted connections, potentially affecting hundreds of thousands ofHTTPS-protected sites, mail servers, and other widely used Internet services.
A team of security researchers has discovered a new attack, dubbed Logjam that allows a man-in-the-middle (MitM) to downgradeencrypted connections between a user and a Web or email server to use extremely weaker 512-bit keys which can be easily
P A G E 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Get Connected to ISACA Mumbai Chapter
Given that the entire focus is now shifted to the social media ISACA Mumbai Chapter has attempted to create itspresence in twitter, Facebook and LinkedIn. However, no such initiative would succeed without your cooperation andparticipation. Please get connected!
Get socially connected with ISACA Mumbai Chapter in the following manner:
https://www.facebook.com/IsacaMumbaiChapter
https://twitter.com/ISACA_Mumbai
https://www.linkedin.com/ISACAMumbai
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 3/21
V O L U M E 2 , I S S U E 3 P A G E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
decrypted.
Source http://thehackernews.com/2015/05/logjan-ssl-vulnerability.html
Source https://weakdh.org
Cyberattack Exposes I.R.S Tax Returns
Criminals used stolen data to gain access to past tax returns of more than 100,000 people through an application on the InternalRevenue Service‟s website, the agency said on Tuesday. Using Social Security numbers, birth dates, street addresses and other personal information obtained elsewhere, the criminalscompleted a multistep authentication process and requested the tax returns and other filings, the I.R.S. said. Information fromthose forms was used to file fraudulent returns, the I.R.S. said, and the agency sent nearly $50 million in refunds before it detectedthe scheme.
Source http://www.nytimes.com/2015/05/27/business/breach-exposes-irs-tax-returns.html?_r=1
Gaana.com reportedly hacked, details of 10 million users allegedly scraped
One of India‟s most popular music streaming service, Gaana.com, has been reportedly hacked. The site is currently down for
maintenance, with no official statement given out yet. A Pakistan-based hacker has claimed responsibility for the hack and claims
details of 10 million users including their email address, date of birth and other information has been scraped and made avai lable
in a searchable database.
The hacker, Mak Man, claims he can get all details of users by entering an email address. He claims his exploit has given him access
to information about 10 million users of the service. Of course, the claims remain unverified at the moment.
Source: http://www.bgr.in/news/gaana-com-reportedly-hacked-details-of-10-million-users-allegedly-scraped/
http://thenextweb.com/insider/2015/05/28/indian-music-streaming-service-gaana-hacked-millions-of-users-details-
exposed/
Ola Cabs Hacked And Users Credit Card Details Comprised
Ola Cab is a taxi service, which is been hacked by a group of hackers called Team Unkown. The group posted a thread on sunday
in Reddit claiming that they have hacked Ola Cab database including all the information of the users such as credit card
transaction history, vouchers etc.
Source: http://www.latesthackingnews.com/ola-cabs-hacked-and-users-credit-cards-details-comprised/
Kaspersky Lab cybersecurity firm is hacked
One of the leading anti-virus software providers has revealed that its own systems were recently compromised by hackers.
Kaspersky Lab said it believed the attack was designed to spy on its newest technologies.
It said the intrusion involved up to three previously unknown techniques.
The Russian firm added that it was continuing to carry out checks, but believed it had detected the intrusion at an early stage.
Although it acknowledged that the attackers had managed to access some of its files, it said that the data it had seen was "in noway critical to the operation" of its products.
Source: http://www.bbc.com/news/technology-33083050
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 4/21
I S A C A @ M U M B A I
P A G E 4
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Interlude2. Reactive (Happening withinthe company) – Be aware onwhat is happening inside thecompany. Have continuousmonitoring mechanism, whichcan be used for improvingsystem effectiveness and takingdisciplinary action in case of
violation.
3. Awareness (Deterrent) – People are the most criticalpart of the system. It is very
important to make usersaware of the informationsecurity concept about WHY,
WHAT, WHERE and HOW.
One needs to ensure thatorganization Security Policiesalign with the requirements ofthe business. Needless to say,regulatory and statutorycompliance requirements aremandatory in nature.
Q: How has being certified
helped you enhance your
career?
A: Yes. I am a certified CISMprofessional. It has definitelyhelped me to increase myprofessional knowledge, whichI can use it in my job. It hasalso helped me to collaboratewith the same professionalinterest group and share
information.
Q: Do you arrange forsecurity awareness
trainings? How often are
they conducted in your
organizations?
A: We do arrange security
awareness trainings. We
conduct formal and informal
trainings in groups as well as
establish connect with
Q: What is your visionfor security for your
organization for 2015?
A: In the world oftechnology, every day thereis innovation. Everyinnovation is giving newopportunity as well asgenerating new threat. Dueto increase in the adaption ofinternet, users are expectingevery information at their
finger tip.
As we are in financialservices industry, it is veryimportant to provideservices to the customersand make them self-sufficientby providing self-service
avenues.
Our vision is to provide auser-centric trusted and
secure environment toemployees to conductbusiness, while ensuringprotection of RCLinformation assets including
customer data.
Q: How strong is yourISMF team and howmuch is the support fromthe management in yourcompany? How often doyou meet to discuss
Security issues?
A: We have a very stronggovernance framework andISMF defined and practiced,that is having the top downapproach. There is a visibilityfrom end user up to theBoard and all issues andincidents are discussed atdifferent levels. There is an“Information Security Risk
Management Committee”
defined which discusses allinformation security relatedissues and tries to addressthem, in the most optimalmanner. All the risks arereported to RiskManagement committee,
which reports to Board.
Q: What do you thing isthe bare minimumcompliances that need to
be followed to avoid anysecurity breaches?
A: Security of Customerinformation and companyconfidentiality is in thecentre of the InformationSecurity ManagementSystem. Protection andmonitoring of confidentialinformation, is the minimumcompliance that should bekept in mind, while defining
information securityprogram. Being in financialservices industry, we givepriority to safeguard andmonitor customer personalinformation and company
confidential information.
There are 3 parallel pathswhich helps in avoiding
security breaches
1. Proactive (Learning fromthe external world) – Everysecurity professional needsto be aware of the securitytrends, threats,vulnerabilities published,breaches that occur in theexternal world etc. This willhelp the Company to initiateproactive action plans before
responding to any incident.
Brief Bio
About The
Interviewee
Anuprita Dagga, CISMis the ChiefInformation SecurityOfficer of RelianceCapital Ltd.
-Anuprita Dagga
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 5/21
P A G E 5V O L U M E 2 , I S S U E 3
Brief Bio
About The
Writer
Murli has 22 years of richIT experience as astrategist, innovator andvisionary. He has beeninstrumental in setting upinformation securitydivisions forMashreqbank (Dubai),ICICI Bank and Reliancecapital group. He hasconceptualized &implemented variousinnovative data securitysolutions like Data flowanalysis for data security,worked on key securitysolutions like PrivilegedIdentity management,
SIEM / SoCenvironments, Incidenceresponse and recovery(including forensics) andmany more.
Murli also worked asChief Technology officerfor Apollo MunichHealth Insurance,Reliance Life Insurance &Reliance Internationalbusiness
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
fastest channel to reach
anyone. Social media has also
made access to information
easy.
Q: How do you keepupdated with the latest
security news?
A: Security news subscription,
conferences, events, social
media groups etc.
individuals and also conduct
refresher security awareness
sessions for all users.
Q: What are the
challenges that you faceat your workplace?
A: Keeping pace with the
developments of technology
and maintaining dynamic
security along with
technology developments is
one of the major challenge.
Q: How has social media
impacted you
professionally?
A: Social media helps one to
know all the developments
happening in the external
world. In such a busy
working schedule, it is the
Corporate Espionage – the insiderthreat
-Murli Nambiar
activities,” Assocham notes.
According to the survey,respondents also said they install“spying gadgets” like close-circuittelevision cameras, audio andvideo surveillance devices, voice-
recorders, and global positioningsystems, in their offices to keeptrack of employees.
Another Pwc report of 2013 callsIndustrial Espionage “India‟s new
booming sector”. As per them,
almost 80% of all CEO usedetective and surveillance agenciesto spy on ex and currentemployees in addition toattempting to get competitiveadvantage.
And the Federation of IndianChambers of Commerce andIndustry (FICCI) called businessespionage the 9th biggest threatto Indian companies in itsannual India Risk Survey in 2014.
Evolution of corporateespionage The history of corporate/industrial espionage probablydates back to the sixth centurywhen Justinian, the Byzantineemperor hired two monks to visitChina.
Introduction All warfare is based ondeception. There is no placewhere espionage is not used.Offer the enemy bait to lure him----Sun Tzu (~ 400 B.C)
It's all about Information.Corporate espionage can bedefined as the collection ofillegal and unethical activitiesundertaken by companies /organisations to gather, analyseand manage information oncompetitors with the purpose ofgaining corporate edge in themarket.
Trade secrets, commercialsecrets, intellectual property andstrategic information like a
potential bid price are typicallytargeted during industrialespionage.
In the early days, as now, spiesdeal mainly with information.They don‟t care where the
information comes from, it‟s
irrelevant as long as theinformation is compromised. Intoday‟s workplace much focus is
given to the technical controlslike implementing firewalls andIPS. While these are good toprevent the traditional hackers,this does not mitigate the risk of
employees working as spies forcompetition: the INSIDERTHREAT.
The Associated chamber ofCommerce and Industry ofIndia (Assocham) did a survey in
2012. “Over 35 percent ofcompanies operating in varioussectors across India are engagedin corporate espionage to gainadvantage over theircompetitors and are evenspying on their employees viasocial networking Web sites,”
Assocham said in its report.Assocham made a strongerclaim that about 900respondents said they plant amole in other companies,usually as receptionists, photo-
copiers and other low end jobs.
About 1,200 respondents saidthey use detectives andsurveillance agencies toconstantly monitor theiremployees‟ activities and
whereabouts, using moles andsocial media, according to thesurvey. About a quarter ofrespondents said they havehired computer experts forinstalling monitoring softwareto hack and crack the networks,track e-mails of their rivals andperform other covert
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 6/21
P A G E 6
I S A C A @ M U M B A I
Human intelligence In some areas of espionage,however human agents are stillthe best information sourcesbecause they can supply themissing factors – the intentions ofthose in command. Human
espionage can reveal the waycompetition management think – what they know, what they wantand what they plan to do toachieve their objectives.Traditionally companies spendtheir time and effort in investingon technology controls to preventonline leakage howeverinformation is often leaked whenthe employees interact with thehead-hunters and theircounterparts in other companies. Juneau Kastuva, President and
CEO of a Canadian security firm,Northgate estimated that 85 to 90per cent of incidents involve theassistance of an insider who haslegitimate access to theinformation. Thus, the mostcommon agent of industrialespionage often emerges as aninsider – an employee.
Double agents In this shadowy world of cat andmouse, perhaps the mostdangerous figure is the doubleagent – the spy with dividedloyalties or personal greed whotrades information betweencontenders and who betrays bothsides with equal ease.To win an espionage battle,counterintelligence forces have towatch for the tell-tale signs ofsomeone who quite does notbelong, who shows too muchinterest in sensitive places orpieces of information, whoassociates with people who maybe suspect, or whose backgrounddetails seem less than convincing.
Implications of corporateespionage Corporate espionage alwaysdamages the interests of thecompany, in some casesirreparable. Leaking of critical andconfidential data would give anadvantage to the competition.Innumerable cases are knownwhere companies had disastrousresults by virtue of stocksdropping, legal and financialimplications and loss of customer
confidence. The leaking of
He wanted them to gain anunderstanding of silk productionin China and to smuggle silkwormeggs and mulberry seeds out ofthat country to break itsworldwide monopoly on silkproduction. The monks smuggled
these eggs and seeds out of Chinain hollow bamboo walking sticks.
Subsequently, in a few years theByzantine empire, replaced Chinaas the largest silk producer in theworld. Over the centuries,industrial espionage practicescontinued to play a major part inthe development of manycountries. In the 18th century,alarmed by the industrial andmilitary supremacy of GreatBritain, France sent its spies to
steal the latter's industrialsecrets…
Various types of espionageactivities Technology has transformedcapabilities of spying with additionof miniature cameras,photocopiers disguised as pens – able to copy docs simply by rollingover them – sensitivemicrophones to pick up andrecord conversations andsatellites that survey entire globe.
Technical intelligence Radio signals, codedcommunications, recordedconversations, intercepted callsand emails, satellites surveillanceand electronic monitoring of shipand aircraft movements allcontribute to increasinglycomplex intelligence pictures.Proliferation of smartphones isanother factor.
Commercial and tradeintelligence
Corporate espionage has becomemore prominent. Nationalinterests are now more focussedon economic strength andcommercial competition.Information regarding strategy ofa competitor is invaluable and isoften used as a tool whennegotiating contracts withcustomers. Corporate espionagecan be online or offline, howeverwith advanced technology, onlineespionage in the form of hackinghas been steadily gaining
popularity.
confidential product plans,marketing strategies, and financialdocuments could cripple anorganization and bring it toextinction.
Tools and modus operandi
Tools – various tools could beused by spies- using invisible ink,secret messages using codes andciphers, Microdots, telephonetaps, hidden microphones,miniature cameras, infraredcameras, Night vision systems etc.Many spying devices are availableon the Internet at dirt cheapprices – motion activated videorecorder, Voice recorder, GPStracking key, Watch cameras, PC /Cell monitoring etc.
Modus operandi- Dumpster diving – the process
of looking at thrash to identifyconfidential data not disposedof correctly.
Carrying off confidentialdocuments and joiningcompetitors. Emailing / copyingconfidential information – through unprotected USB /Internet access
Social engineering attempts – attempting to misguidepersonnel in sharing their
sensitive data to either domalicious acts unknowingly orpart with their credentials.
Joint ventures with competitors- During the process ofexpanding the state-of-the-art, acompany must divulge its‟
knowledge of the state-of-the-art
Open source information – newspaper articles, corporateannual reports, court filings,marketing info etc.
Hiring of employees – the
easiest aspect for getting quickturnaround from an employeeis recruit from a company whohas them. And when they comeon board it would be difficultnot to use the knowledge theyhave gained from previouscompany when for ex. biddingfor the same project.
Information collectionspecialists – trade shows,conferences - They usually actlike potential customers orfellow researchers to elicit
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
More About
The Writer
Murli is widelyacknowledged as adomain expert and hasbeen featured in numberof publications. He'sspoken at many seminarsand conferences as well.In addition to winningmany awards inInformation securityspace. He was alsofeatured in a book ““The
Innovative heroes”,
published byDynamicCIO.com -2013" as one of Top 30CIO's.In his spare time, Murli isan avid photographer,loves to travel, read andlisten to old Hindi music.
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 7/21
V O L U M E 2 , I S S U E 3P A G E 7
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
of any potential breach. TheCCTV and any biometric /access control device logsshould be regularly monitoredto identify cases. Ifhousekeeping team seem to bespending more time in specificareas than required, review the
reasons for it. Physical scans / verification
– conduct regular checks ofsensitive areas like CEO office,Board and conference rooms todetect any unauthorised devices(Wi-Fi access points ORrecording devices or bugs) ,especially before any importantmeetings take place there.
New employees expressinginterest in areas / domains notrelevant to his scope of workcould be potential indicators of
spying. Especially if theemployee has joined fromcompetition. Monitor theinternet browsing, emails andphone calls made of theseemployees in such cases.
How to prevent corporateespionage Information security efforts musttherefore address comprehensivecountermeasures that are ascomprehensive as the methodsemployed against them. There are
four parts of a comprehensivesecurity effort that enhance andsupport each other: Technical,Operational, Physical, andPersonnel Security.
Technical security – reduce thevulnerabilities present inelectronic systems. In addition toimplementing perimeter leveldefences like Firewall andIntrusion prevention systems,InfoSec teams should start payingattention to the other factors like
protecting the data „within‟ theenterprise. Identifying andclassifying critical and confidentialdata and then implementingsecurity solutions to assign rightsand identify leaks should be topmost priority for them. Thedatabase team is privy to lot ofinformation and adequate controlsto monitor and audit theiractivities should be in place.Encrypting critical data identifiedin earlier step is key in ensuringdata is protected even if
compromised.
information from people thatare all too willing to give it up.
Most importantly of all – Insider Threat
Most of incidents involve the useof insiders to steal information.
Getting an insider to collude canoccur in various ways. Theyinclude people who havebecome disillusioned with it,greedy people who can bebought, people who can becompelled to cooperate bythreats to family, blackmail andother ugly means. Hatred ofthose in power, a desire tohasten their downfall or needfor money or goods in shortsupply. For some, excitementand adventure could be enough
reason.
In many corporate organizations,especially the big corporates it‟s
easy for people with maliciousintent (read spies) to get a job.Once they get in they are usuallynot monitored or given acooling period before havingaccess to confidential data. Thus,they go undetected in theirthefts of information. Thishighlights the issue ofInformation security teams
spending time and money inprotecting their perimeter butdon‟t have sufficient internal
controls.
Getting jobs in housekeepingand other supporting functionsis easy enough. Then, at nightthe floor is theirs to play. Anydocument kept in the open, filesnot locked away are easymaterial to copy and steal. Theywould also go through thethrash to see documents thatare not properly shredded andgather information. This is a veryeffective way of gettinginformation without raising anysuspicion. In some cases, if theperson posing as a housekeepingpersonnel is actually someonewho knows computers could trybreaking into open systems ORtrying to login to systems isanother easy way. Unless theorganization has trained theirpersonnel to identify these kindsof break in‟s (for ex: showing
the last login time and noticing
the unearthly login time Or
account being locked out whenthey come in the morning towork) it‟s an easy process for
the spies to keep trying untilthey strike it lucky.
In some cases, they could alsokeep bugs to records
conversations that take place,especially in sensitive areas likethe board or conference rooms.These are areas which arerarely scanned for these devicesand could provide unimaginablebenefits to the spies. A boarddiscussion discussing sensitiveand critical corporate topicswould probably be of immensebenefit to competitor.
Some methods to detectespionage activities
Identification or Increasein spear fishing activities - The spear phishing emailscontain either a maliciousattachment or a hyperlink toa malicious file. The subjectline and the text in the emailbody are usually relevant tothe recipient.
Establishing a presence – usually firewalls detectinbound traffic but allmalicious activities requirethe exploit to report back to
C2C (command and control)server. Backdoors that mimiclegitimate traffic and use SSLencryption socommunications are hidden inencrypted SSL tunnel. Thisbackdoor will communicateto the server and Infosec / ITteams need to monitoroutbound traffic in thisregard.
Privilege Escalation – oncea presence is made the nextstep is to allow access to
more resources within thenetwork. The malicious userwill try and dump thepassword hashes to obtainlegitimate user credentials.Identifying any activityattempted using thesepassword cracking would helpdetect a malicious activity.
Monitor logs and physicalaccess control devicesregularly – monitoring thelogs of various servers,firewalls and IPS and
developing correlation ruleswhich can highlight possibility
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 8/21
P A G E 8
I S A C A @ M U M B A I
Personnel security - All newpersonnel joining the organizationshould undergo a backgroundverification check. In cases wherethey would be handing sensitivedata there should be a cooling offperiod during which these
employees should not be providedaccess to confidential data.Criminal background verificationis a must for all employeeshandling or managing sensitivedata like Information securityprofessionals, database and ITteams, processing teams etc.
Ensuring stringent background andcriminal checks are done even forcasual employees or contractorsoffering housekeeping and physicalsecurity services is mandatory.
Implementing and monitoringCCTV records, especially ofcritical areas like CEO office,board or conference rooms toidentify any malicious acts bythese personnel during the night isa must.
Hiring and Exit formalities shouldbe in sync with IT processes, anyabsconding or resigned staffshould be deleted from systemswithin defined time frame. In caseswhere potential job hunting isdetected the employees should bemonitored closely to ensure datais not being taken out. Contracttermination of external vendorsand more importantly theirpersonnel who have access tocritical data of the organizationeither for processing or havingaccess to FTP /web systems inabsconding state or resigning fromservices should be notified to theorganization immediately.
Another major factor that needsto be addressed is the
proliferation of social media.Some of the most popular oneslike LinkedIn, Facebook andTwitter are easy channels forpeople to vent out their griefs andfrustration, likes anddislikes….key information for
competition to source thesepeople to work for them and usethem as spies. Inadvertentdisclosure of corporateinformation could also lead toserious repercussions for theorganization. It‟s important for
organizations to have a policy and
Operational security – Givingdata access to new employees on“need to know” basis prevents
the unnecessary proliferation ofinformation. Likewise, policies onrestricting the use of opencommunication lines, such as the
Internet and telephone systems,reduces the potential for thecompromise of information.Other operational security issuesinclude enforcing your ownsecurity policies on your vendorsand suppliers.
Critical departments within theorganization should be reviewedfor potential ways the informationcould be maliciously used. Theremust be a clear understanding ofwho to disclose information to,
and under what conditions andcontrols.
A strong security awarenessprogram is the foundation for astrong operational securityprogram. People must know whatinformation they should protect,and specifically how to protect it.Everyone should be encouragedto identify & report anyquestionable circumstances, andknow who to report it to.
Physical security - Physicalaccess to facilities should becarefully regulated and controlled.This includes limiting the access ofvisitors and contractors, as well asyour own employees. Allemployees must wear accessbadges that indicate their status,such as employee, temporary,visitor, or contractor. This featurehelps to reduce the threat ofpeople overstating their authority.Obviously, there should be anoperational security policy thatencourages all people to look at
badges. Top management shouldlead by example and wear / displaytheir badges at all times. Anotherphysical security issue to beaddressed is the control ofgarbage. Locks on office doorsand file cabinets frequently gounused in many organizations.Clean desk policies, that requireall sensitive information to belocked up, must also be enforced.Clear screen policy should beenforced.
awareness session for theircorporate staff.
Instances of corporateespionage and the damagecaused – global / India
An Article in ComputerWeekly
in 2013 highlights a large andsophisticated cyber-attackinfrastructure that appears tohave originated in India. A groupof attackers, based in India seemto have employed multipledevelopers to deliver specificmalware for private threatactors, according to a report bymalware analysis firm NormanShark.
Analysis of IP addressescollected from criminal data
stores showed that attackstargeted victim in more than adozen countries.
„Shastrigate‟ - named afterShastri Bhavan which housednumber of ministries - therecent leaks of documents fromthe Petroleum and Gas Ministryand later the Coal, ForeignInvestment Promotion Board(FIPB), Power, Coal and Newand Renewable Energy. DelhiPolice‟s Crime Branch arrested
five persons, reportedlyincluding two governmentofficials and a journalist, forallegedly leaking classifieddocuments from the petroleumministry.
Two forged identity cards of theMinistries of Coal and Powerand copies of various official/secret documents were seizedfrom his possession. Total of 16people were arrested in theespionage case.
APT1 – China‟s cyber espionage
units – they have been activesince 2006 and have targetedmore than 141 organizations,having stolen more thanhundreds of terabytes of datafrom them. They focus oncompromising organizationsacross a broad range ofindustries in English speakingcountries.
In 2001, Procter & Gambleadmitted to a spying operation,alleged to have been carried outover 6 months, on its hair-care
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 9/21
V O L U M E 2 , I S S U E 3P A G E 9
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Resources team & working asone close knit unit wouldhelp alleviate the threats ofcorporate espionage.
A detailed and continualawareness program is thebest method to deter many
attacks. If all employees knowwhat to look for, then thechances for the attack to besuccessful are minimized.
References:1 - Akanksha Vasishth and AkashKumar. 2013. “Corporate
Espionage: The Insider Threat”,
Business Information Review, Vol.30. June.2- Ahvi Spindell. 2013. “Industrial
Espionage Threats to SMEsOriginate from Within”.
Thomasnet News. 17 October.http://news.thomasnet.com/IMT/2013/10/17/industrial-espionage-threats-to-smes-originate-from-within/3- http://social-engineer.org/wiki/archives/PenetrationTesters/Pentest-Winkler.html4- http://www.computerweekly.com/news/2240184448/Researchers-uncover-Indian-cyber-espionage-network5- http://
intelreport.mandiant.com/6-http://www.businesspundit.com/10-most-notorious-acts-of-corporate-espionage/
competitor Unilever. Theirplan included going throughUnilever‟s trash in search of
documents.
In the early ‟90s allegations
came to light that Avant! ASilicon Valley softwarecompany, had stolen codefrom a rival company,Cadence Design Systems.
When the chief of productionfrom Opel moved to rivalVolkswagen and was followedby not one, not two, butseven other executives. Opelcried industrial espionage – over an alleged missing bundleof confidential documents – inresponse to whichVolkswagen parried withaccusations of defamation.
Michael Mitchell worked onthe marketing and sales ofKevlar for DuPont until hewas fired in 2006. He offeredto provide his services toKolon Industries Inc, a Koreanform which just happens to beone of two companies thatmanufactures fibers that cantough it out with Kevlar in thetoughness stakes. Afteremailing his new bossesconfidential information onKevlar, he went back to oldcolleagues at DuPont to find
out more. Covert monitoring of
Microsoft by Larry Ellison,head of Oracle who wanted toexpose Microsoft‟s funding of
various public interest groups,used detectives to bribe thecleaning staff at Microsoft atMicrosoft‟s Washington office
to lay their hands ondocuments.
Conclusions
There needs to be aparadigm shift forinformation securityprofessionals to shift fromtraditional informationsecurity mechanisms tofocussed corporateespionage protectiontechniques. In the end, it‟s
always the data andinformation that‟s at stake
and identifying andknowing where it lies inthe organization and
protecting it throughfocussed data securitymechanisms removes thefizz if spies get their handson it.
Many incidents have shownthe impact of Insiderthreats, in some cases 70%of them are related to it. Ifthe Information securityteam focuses on variousother factors in addition totechnical aspects it would
provide a holistic approachand reduce the potentialloopholes which can beexploited. Closecoordination with Physicalsecurity and Human
Social Media Usage in the Enterprise
-K K Mookhey
Facebook, Twitter, LinkedIn, etc.
Why are we opening up
access to social media?
The main objective behind thisstep should be clearly articulated
and spelt out for all employees to
read and understand.What aspects are to be kept in
mind when allowing employees
access to social media from within
the network?
Introduction
With the onslaught of SMAC –
Social Media, Analytics, Mobility
and Cloud Computing – in our
personal as well as professional
lives, we are spending a huge
amount of time and energy in a
digital world. Many organizations
are faced with the challenge of
how to handle and even leverage
these technological innovations
to gain a business advantage.
This article looks at the aspect
of social media and how best an
organization may decide its
stance with respect to allowingor disallowing users, access to
social media sites from work.
What is social media?
Social media refers to those
websites where users interactwith each other based on
common interests and much of
the content is user-generated.
The most common examples of
social media are of course
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 10/21
I S A C A @ M U M B A I
P A G E 1 0
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Brief Bio
About The
Writer
K. K. Mookhey is the
Principal Consultant at
Network Intelligence (I)
Pvt Ltd. and the Instituteof Information Security.
One of the pioneers in
the information security
space, he founded NII in
2001. What started as a
one-man show has
grown into a team of
200+ security
professionals working
across India and the
Middle East with the
who‟s-who of industry aslong-term clients. He is
the author of two books
on security – Linux
Security & Controls and
Metasploit Framework as
well as numerous
articles. He is one of the
first Indian security
researchers to have
presented at Blackhat
USA in 2004. His
experience and skillsets
encompass IT
Governance, Information
Security Strategy,
Forensics, Fraud Risk
Management, and
Business Continuity. He
holds the CISA, CISSP,
CISM, CRISC and PCI
QSA qualifications.
Promote employees to use their
common sense rather than treatthem with kid gloves.
6. Other safeguards
The other guidelines we have inour acceptable usage guidelinesfor email and Internet should also
flow through to social media –
such as not posting content of a
sexual nature or that which mightbreak the country‟s laws or be
considered racist or offensive.
Overall, the following steps should
be taken:
1. Identify the purpose behind
taking this step and make it
public to all employees
2. Restrict use of social media to
lunch break and after working
hours
3. Monitor closely usage of these
sites and alert employees and
their managers if usage crosses
acceptable thresholds
4. Educate employees to the risks
of social media – even at home
– this will encourage them tofollow proper safety
precautions both at work and
at home
5. Create an acceptable set of
guidelines and circulate them
to all employees
Further reading:
Social Media Strategy, Policy andGovernance
Enterprise Social Governance Social Media Policy Template Social Media Policy Template Another template (4 pages)
There are certain risks that we
must be aware of when allowingaccess to social media
1. Loss of productivity
One of the concerns that senior
management might have is thatpeople will end up spending toomuch time on these sites and
thereby reduce their focus from
work. Studies have shown that a
large percentage of access tosocial media happens during
working hours even in cases
where employers have notallowed such access on their
networks. This means that
employees in any case accessthese sites using their
smartphones. One answer tothis problem would be to allowaccess to these sites during
specific times of the day – such
as during lunch break as well as
after working hours. This willgive employees a targeted time
during the day when they can
use these sites and reduce theirpropensity to access them using
their smartphones. Whyincrease one‟s data consumption
when the company network
allows me to access these sites
during lunch and after workinghours? We might actually see an
increase in productivity from
this approach.
It is important to closely
monitor social media usage and
bandwidth consumption on a
regular basis to avoid misuse.
2. Security risks
Often the content and links
posted on social media sites can
be used to compromise theuser‟s system via a phishing scam
or malware download. While
this can happen in any case, the
social media interactions happen
with a certain level of inherent
trust – the posts and links are
from friends of mine and
therefore must be valid to some
extent. This can be mitigated by
strong malware controls within
the network as well as constant
employee education. While we
open up social media for our
employees, we should combineit with an awareness campaign
that helps them use social
media in a secure fashion.
3. Employee privacy
Managers must be sensitized to
not cross boundaries of socialetiquette and laws aroundworkplace harassment just
because they are connected
with their peers or employees
over social media. Thisconnectivity can create a false
sense of intimacy where none
might exist and causerelationships to sour. Certain
boundaries must be maintained
in social media interactionsbetween employees – especially
between those in managementpositions and theirsubordinates.
4. Disclosure of sensitiveinformation on social
media
Any instance of disclosure of
company confidential
information on social media
should be handled with strictaction and a strong message
sent that these channels cannot
be used for causing any sort ofharm to the company or its
reputation. Again, the employee
awareness campaigns should
help sensitize people to theproper usage of these channels
and ensure they don‟t
inadvertently disclose insiderinformation even over chat.
5. Protecting companyreputation
What employees post about theCompany should be outlined –
more along the lines of
encouraging them to givepositive insights rather than
listing out too many
restrictions, which might appear
to be a curb on freedom ofspeech. The signal that should
go out is that social media is a
positive technology, andpromoting the Company, its
brand, and its practices on
social media would help createa beneficial image for the
Company and employees.
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 11/21
P A G E 1 1V O L U M E 2 , I S S U E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
1. Introduction
Companies today have third party contracts with various vendors. Most of the process are outsourced tovarious companies. This is the most convenient and flexible way to work, so that overall managementactivities are limited to just vendor management alone. The quantum of work that is outsourced to thirdparties include not just IT, data management and security providers, but also facilities management(cleaning HVAC – Heating, Ventilation and Air Conditioning) along with any vendor that may have accessto network, data or facilities. However, outsourcing to third parties comes with significant risks such asadverse vendor incidents, and sometimes even penalty from regulators.In today‟s paperless and highly competitive environment, it is in the interest of the company to safe guard
its information Therefore it becomes imperative that the company does everything to manage andmaintain its IT infrastructure. This means a need to evolve a Vendor risk management, which will look atvarious aspects of information security associated with the vendor. This would include management ofrisks right from identifying the vendor, contract management, risk management, Business continuity plansetc. Managing external vendors should be a key competency for every enterprise and can lead to optimallymitigated risk and significant benefits.
In order to establish an effective vendor management process with goals and objectives, the enterpriseneeds to ensure the following:• Vendor management strategy is consistent with enterprise goals.
• Effective cooperation and governance models are in place.
• Service, quality, cost and business goals are clearly defined.
• All parties perform as agreed.
• Vendor risk is assessed and properly addressed.
• Vendor relationships are working effectively, as measured according to service objectives.
2. Approach
1. A Risk assessment needs to be done for choosing the vendors. The controls implemented need to be
evaluated and if need be the policies and procedures need to be audited. The selection procedureshould have been performed with due-diligence. This should be properly documented based on needs
and appropriate criteria.
2. Site visits to the vendor office needs to be carried out. The financial capabilities of the vendor needs
to be assessed, along with previous experience, staff capabilities, any pending litigation or customercomplaints etc.
3. Skill levels and training of the vendor needs to be assessed. This will help in understanding their
capabilities for the contractual work undertaken.
4. Checks for adequate documentation present to convey the program management of the vendors to
the relevant staff of the company.
5. The contracts needs to be well defined. It should be vetted by internal/external legal counsel.
6. Adequate staff should be deployed in order to fulfill the requirements of the contract. The third party
staff should be well aware of their roles and responsibilities. They should also have had confidential
agreements signed.
7. All records pertaining to activities needs to be managed in an organized manner, Methodologies for
updating and archiving documents need to be defined.
8. The results of the activities performed by the vendor needs to be reported to the management on a
timely basis. This should be reviewed by Management periodically. There should be a feedback
mechanism in place. Thus the performance of the vendor needs to be evaluated continuously.
9. All precautions need to be taken to ensure that the data of the organization is protected and secure
at all times.
10. The organization should ensure that compliance is met and all policies and procedures are complied
with. It should also plan for regular audits of the third party process and ensure that those are also
Vendor risk assessment-Latha Sunderkrishnan
Brief Bio
About The
Writer
Latha Sunderkrishnan(CISA, ISO27001 LA,COBIT 5 Foundation) isa Senior Consultant withNetwork IntelligenceIndia. She is anElectronics Engineer withmore than 17 years ofexperience in IT withvarious multi-nationalorganizations workingwith a wide variety oftechnologies. She hasworked in InformationSecurity Audits andConsulting, InformationSecurity trainings,Project Management,
Quality Assurance andCustomer Support. Shecan be reached [email protected]
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 12/21
I S A C A @ M U M B A I
P A G E 1 2
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
complied with at all times.
11. In case if the outsourced vendor is a foreign company, then the organization should take care thatthe legal requirements are met with. There should be penalty clauses or fines that can be adhered to.
12. The vendor organization should also have Business Continuity Plans and Disaster Recovery plans in
place in case of any disruptions. It should ensure that the activities are performed in case of a
disaster.
3. COBIT 5 framework for Vendor Management
COBIT 5 has defined a fame work for Vendor Management. Here it defines the roles and responsibilitiesof the different stakeholders in the contractual agreements. The RACI (responsible, accountable, consulted
and informed) chart is as shown in the figure below:
C-level Executives - They are accountable for the vendor management process depends on the scale ofoutsourcingBusiness Process Officers - Business Process Officers should be actively involved in the vendormanagement life-cycleProcurement - Many responsibilities within the vendor management life cycle belong to the
procurement functionLegal - To effectively mitigate vendor-related risk, the legal function should be involved throughout theentire vendor management life cycle.Risk Function - The risk function should be consulted throughout the vendor management lifecycle toobtain a complete view on risk that is related to the relationship, services or products.Compliance and Audit - The compliance and audit functions should be consulted throughout the vendormanagement life cycle to ensure compliance with internal and external laws, regulations and policiesIT - The IT role is significant because its members may be more familiar with the products and servicesand their market availability.Human Resources - The HR stakeholder should be consulted throughout the vendor managementlifecycle to ensure compliance with the enterprise‟s worker statutes, local regulations, and code of
conduct and labour law.
4. Managing a Cloud Service Provider
Cloud computing security is the set of control-based technologies and policies designed to adhere to
Vendor Management RACI chart
Contractual Relationship Life Cycle
Stakeholders
Setup
Contract
Operations
Transition-Out
C-level executives A A A A
Business process
owners
R
R
I
R
Procurement R R I R
Legal R
R
C
C
Risk function C
C
R
R
Compliance and audit C
C
C
C
IT R R R R
Security R
C
R
C
Human resources (HR) C
C
C
C
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 13/21
P A G E 1 3V O L U M E 2 , I S S U E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
regulatory compliance rules and protect information, data applications and infrastructure associated withcloud computing use.
The cloud is a shared resource, hence identity management, privacy and access control are of particularconcern. With more organizations using cloud computing and associated cloud providers for dataoperations, proper security in these and other potentially vulnerable areas have become a priority fororganizations contracting with a cloud computing provider.
Cloud computing security processes should address the security controls, the cloud provider willincorporate to maintain the customer's data security, privacy and compliance with necessary regulations.The processes may also include a business continuity and data plan in case of a cloud security breach.
Cloud using the public cloud effectively is an IT governance issue. The impact cloud is having on theorganization is initially assessed in order to devise a strategic and workable approach.
It is important to identify and categorize data already within the organization and the business processesaround them. For example, storing credit card data in house currently and outsourcing the storage wouldmean an increased scope for PCI DSS (although outsourcing the payment transactions themselves to anapproved provider usually makes sense). Storing personal data could have legal ramifications, if stored orreplicated outside the country of the data subject
Firstly there is a need to address the new threats that virtualisation poses within cloud computing. Thesecond is the ability for SMEs to perform due diligence effectively for an outsourced provider, given theyrarely have in-house technical or legal expertise.
Google Plus cloud service helps me keep my contacts, calendars, photos, etc., synchronized across myvarious computing devices. Thus I like this feature and service. When suddenly I had to switch mobiles asmy previous one was not working, I got back all my data intact from this service. But I am also carefulabout the data I put there.
5. Metrics for SLA
SLA would define the service level agreements between the vendor or the service provider and the
company. It would also include how the services would be measured. This would define if the
expectations are met in terms of the services provided.
How to go about choosing the various factors for the Metrics?
Firstly there is a need to define the KPIs that could be used to measure the Metrics. Secondly it would
include the type of KPI like
Objective – Number of Major incidents in a month
Subjective – Improvements in client satisfaction.
When selecting KPI, need to understand what the indication of value to the customer is:
Enhanced performance in the business
Constraints removed from the business
Availability & Reliability of the Service
Performance of the service
Security of the service
Service Continuity (ability to recover from disaster)
Metrics type could be
Service metrics which reflect the end-to-end quality of service or „user experience‟
Process metrics to inform the service provider and customer of the effectiveness (achieving goals) and
efficiency (use of resources) of key activities within the service delivery function.
Technology metrics to inform the IT provider at the component level, enabling the identification of
issues and improvement opportunities
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 14/21
I S A C A @ M U M B A I
P A G E 1 4
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Penalty clauses should be used only if
there is a reasonable lack of performance
if it is only the service providers fault, which means that the company is not at fault at all
It should be done in a fair manner with overall understanding of the incident.
Above all else, never forget the #1 rule – Nothing should be included in an SLA unless it can be effectively
monitored and measured at commonly agreed points.
6. Third Party AuditsThese can be conducted once in a while depending on the criticality of the services. For these Audits,
the general controls used are:
Risk Assessment - Based on the risks pertaining to Confidentiality, Integrity and Availability, accessshould be provided to the third party. Access control rights can be given based on sensitivity of data.This should also be taken care as a clause in the contract. The Risk Assessment can decide the further
action that needs to be taken.
Screening - Background checks for vendors/partners need to be performed vigilantly. This is veryimportant aspect of vendor management. The company also needs to be checked for its financial viability.Depending on the criticality of the business and contract, audits could also be performed to their existing
information security controls and processes.
Information transfer Agreements between the external party needs to ensure that need to addressthat the transfer of information between both the parties happens in a secure manner.
Selecting clauses in the agreement - Based on the risks assessed, the clauses should be present inthe agreement. Penalty clauses based on the risk identified should exist. Turnaround time should also be
mentioned in the clause.
Access control - Accessing data by the third party contractors need to be monitored at regular
intervals. It should be given only on needs basis and minimum access necessary should be provided.
Confidentiality and Non-Disclosure Agreements - Confidentiality and non-disclosure agreementsneed to be signed by all employees of the third party who are contracted by the organization. This needs
to be reviewed on a periodic basis.
Compliance monitoring - Ensure that the third party complies with all clauses pertaining to security.This needs to be monitored and also they can be audited for the same. This needs to be controlled based
on access and other rights on data.
Termination of the agreement - When the agreement is terminated or the contract has expired andthe company has decide not to extend the contract, the proper controls for this needs to be monitored,All assets should be returned by the vendor, and all access rights removed for the vendor. This again
needs to be part of the contract.
7. Need for an effective vendor risk assessment
An effective and efficient vendor risk assessment provides benefits to the enterprise in terms of:
Delivery of Costs savings
Meeting Stakeholder needs
Risk Management
Assurances of Quality
Standardization
Flexibility and efficiency
IT Security has become an important aspect for any business. Most Companies are not willing to budgetenough for IT security in general and vendor risk assessment in particular, despite the fact that Securityof data processed by the enterprise including vendor resources is pivotal. Data Security may not be theprimary business of any company, so companies do not spend higher amounts for IT security in general
and in particular for vendor risk assessment.
Financial Services companies are inclined to have higher budgets for IT security in general and forvendor risk assessment as compared to other types of companies. This is because regulators havemandated security and confidentiality of customer data processed by these companies, albeit using manyvendors. Consequently, these companies are forced to implement IT security standards. A vendor riskassessment will assure us that a vendor has become conscious of protecting the confidentiality, integrityand availability of the data and the associated information assets. This brings a culture change at thevendor company. Controls of IT security can be implemented only if the management of the vendor
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 15/21
P A G E 1 5V O L U M E 2 , I S S U E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
company supports the initiative.
References:http://citebm.business.illinois.edu/TWC%20Class/Project_reports_Spring2006/Business%20Risk%
20Management/Manzoor/project%20report.pdf
http://www.employeeservices.gov.sk.ca/projectsecurity
www.isaca.org Vendor Management Using COBIT 5
Security Considerations while Procuring BYOD
Solutions for Mobile Phone/Tablets-Janak Majithiya
Bring your own device (BYOD) is the latest trend in many companies. Business requirements for Workingfrom Home, accessing E-mail 24*7, instant customer support etc. are increasing and future trend looks likethis is continue to be increasing.
In early 2010, most companies were using BlackBerry as company provided mobile phone device. Fewmonths later smartphone took over all most entire market of BlackBerry. Smartphone has made life easy,user friendly and cost effective. Companies realized going cost of BlackBerry server, user license, devicecost and Service cost. From a security perspective, BlackBerry is reasonably secured due to lots ofsecurity policy options available on BlackBerry Server but too costly as compared to smartphone.
Further it is also a headache for IT team to manage inventory of such mobile devices. There are otherissues as well e.g. finance to maintain book value, depreciation in device is lost or stolen, IT team tomaintain Asset Allocation Form, repair in case device is faulty, coordination with vendor, follow purchaseprocedure etc. After all of these headache and spending lots of money, business users are not satisfied due
to quality of company phone, restriction and controls over company provided phone.
Just to avoid these many hurdles and cost saving, many companies have started allowing users to use theirsmartphone device. However I have seen many companies implemented BYOD policy without eventhinking of “Information Security Risk”.
Risk Assessment (Without implementing any BYOD Security Solution)
I hope above table is enough to alert business stakeholders on information security assurance. No Firewallcan help to prevent Information Leakage if this is not taken care.
So many security companies have developed BYOD security solution. It is important for the company‟s
security officer to choose right solution to protect information. When we think of allowing user owneddevice for official purpose, Follow MUST be taken care:
Threat Vulnerability Business Risk
InformationLeakage throughBYOD
No segregation between“Corporate Information” and
“Personal Information”
There is risk of Informationsharing (Intentional orUnintentional) with unauthorizedperson or competitor due to absent
of security controls over BYODmobile; this may lead to loss ofbusiness / reputation.
User can download any attachments
on BYOD phone memory card.In case of user separation, IT Teamcannot delete files storedon personal memory card.
Single user can configure company‟sE-mail account on multiple mobilephone devices without IT/SecurityTeam‟s knowledge.
Brief Bio
About The
Writer
Janak Majithiya (CISA,
ISO27001 LA) is
having 10 years of
extension experience
in information
security, designing and
reviewing infosec
policies and
procedures,
information security
risk management, ISO/
IEC27001
Implementation and
Auditing, InformationSecurity Audit and
Third Party
Information security
Risk assessment.
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 16/21
I S A C
P A G E 1 6
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
1. Ensure company's information is protected on user owned device2. Ensure user‟s privacy. At the end, its user‟s device, company has no rights to monitor what‟s store on
use‟s mobile phone.
Most recognized BYOD Security Solutions are providing THE MOST IMPORTANT SECURITY FEATURECALL – SECURE CONTAINER.
Such tool creates “Corporate Space” within phone memory to segregate the company‟s information andpersonal information. User can access “Corporate Space” through BYOD client installed on their device.
The magic of this control is: “User cannot copy and paste any information from “Corporate Space” to“Personal Space”.
Following are TOP 10 security controls MUST be considered on your BYOD security solution
Security checklist can be further enhanced along with BYOD security solution vendor and security officerbased on need. Once solution is implemented, organization‟s HR team rollout BYOD policy with eligibility
criteria, does and don‟ts etc. There are lots of BYOD security solutions in market; generally CISO function should lead BYOD security
solution assessment.
Visit http://highersecurity.blogspot.in for more information security related blogs.
Sr Control Description
1 Secure Container As mentioned above. Please don‟t even do POC ifsolution does not provide secure container feature. Allbusiness E-mail attachments to store on corporate spaceonly and not on personal space. Copy and paste shouldnot be allowed from corporate space to personal space.
2 Restrict screenshot No screenshot on corporate space
3 Integrate with company‟scentral authentication control
BYOD security solution should be able to integrate withcompany‟ AD to access E-mails. This feature reduce ITteam‟s headache to maintain separate user managementsystem.
4 Remote wipe-out In case of theft of stolen, company‟s IT team should be
able to wipe out device remotely without anybody‟sintervention.
5 Selective wipe-out There should be option of “Selective Wide-out” to wideonly “Corporate Space”. No personal data should be
wiped out.
6 Password Policy Few BYOD Security solutions do ask for “Password”while accessing corporate emails. This is separate fromphone lock password.
7 Device Restriction User should be restricted to configure company‟s emailaccount only on ONE device. In case users attempts toconfigure another device, BYOD security solutionsshould prevent and through alert to securityadministrator.
8 Audit Logs Various logs:
Last sync Date and Time
Device details e.g. Mobile no, IMIE etc
Activity logs
Security logs User ID and E-mail IDAlso check of log retention, access to logs, security oflogs etc.
9 Compatibility Does your solution support IOS, Android, and WindowsPhone etc.
10 User‟s Private data BYOD solutions should not access user‟s private space.Solution should respect user‟s privacy
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 17/21
P A G E 1 7V O L U M E 2 , I S S U E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
ISACA Conference
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 18/21
I S A C A @ M U M B A I
P A G E 1 8
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 19/21
P A G E 1 9V O L U M E 2 , I S S U E 3
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Photo GalleryFelicitation of 2014 exam passers
The chapter celebrated success of ISACA 2014 exam takers in a glittering felicitation ceremony.Exam passers turned out in a large numbers to receive their momentos and shared theirexperience about plan and preparation for the exam. Special mention of the function is the Songetting his CISA momento in the presence of his mother who is also a CISA and old member ofthe chapter. It was really heartening to see a mother and son holding CISA certificationtogether. The function finished with a dinner which was appreciated by all.
PCI DSS Workshop
Exam passer from Vadodarareceiving the momento
CISA Coordinator andPresident talking to exam
passers
Exam passer getting momento
Exam passer getting momento Exam passer getting momento Group Photo
Happy Exam passer Momentos Mother and son CISA
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 20/21
I S A C A @ M U M B A I
P A G E 2 0
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Solution To Last Edition’s Crossword
PuzzleA B C D E F G H I J K L M N
1 S P L I T K E Y
2 A P B S P I C E
3 A U D I T R I
4 M L H R O S P F
5 M L R O X H
6 I Z E R O D A Y E
7 S N A A T R
8 G R A T K P
9 C C I H P I I
10 R I F T T R11 I D S Q S A T O R A
12 S P D P P C
13 C H A I N O F C U S T O D Y
Career Fair
7/23/2019 Mumbai Chapter E-journal 2014-15 Issue - 3
http://slidepdf.com/reader/full/mumbai-chapter-e-journal-2014-15-issue-3 21/21
P A G E 2 1
© All Rights Reserved 2007-2015 ISACA Mumbai Chapter.
Crossword PuzzleA B C D E F G H I J K L M N O P
12
3
4
5
6
7
8
9
10
11
12
13
14
15
ACROSS
A-2 Something that blocks the signal
A-5 Computer dept. in old days
A-7 A code that can be used only once
A-12 Access which is not permitted
C-10 L in MPLS
C-14
A risk which remains after applying
countermeasures
E-6
An US Govt Computer SecurityStandard for Cryptography (xxxx
140)
F-4 Objectionable sites are part of this
I-2 A business private social network
M-9 A type of ethical testing ( xxxx box)
M-14The overall performance of a
telephony or computer network
N-7Replicates and spreads over the
network
DOWN
A-4To remove or eliminate the keyfrom a cryptographic equipment orfill device
B-1
A routing technology used by manyfirewalls to hide internal systemaddresses from an externalnetwork through use of anaddressing schema.
D-2 Layer 2 of OSI Model
F-1
A unique name or character stringthat unambiguously identifies anentity according to the hierarchicalnaming conventions of X.500directory service.
F-6 A device that protects the network
E-12 To be used in place of SSL
H-7 An _____ inventory is must for anyorganization
J-7 A widely used authenticationprotocol developed at MIT
L-1Software that allows a single hostto run one or more guest operatingsystems
N-7 A type of malicious code
O-6 A supercomputer
O-12 Message Digest
P-2 A digital certificate containing apublic key for entity
P-10Rendering sanitized dataunrecoverable by laboratory attack
V O L U M E 2 , I S S U E 3