Introducing A Revolutionary Method To Master Real Time Changes To Avoid Attacks!!

Network is base of digital banking domain. The base should always be strong and updated. In Recent days Ransomeware attack was a very big problem. Due to confidential data, banking sector was under pressure of its major affect. Being a part of networking & security, it is our responsibility to face the challenges and search for the door to overcome from the massive situations. The small loophole in the network can create a big disaster.

While working under the guidelines of PCI DSS “The network diagram is supposed to be simple to flow, but difficult to attack, even the small changes can play a very important role in the network. The date & time on the system is always neglected but it stores the history of incidence so it should be accurate according to the time Zone (Can use NTP server). PCI DSS guidelines not only helped to make the Network strong but it also indicates how to overcome the Incidence.

Real time changes to avoid attack!!!

 

  • Always keep an eye on every action of the user, small change in the behavior of user is the first indication of attack. To track all these changes Log server should be used in network and logs should be monitor on daily basis.
  • Segmentation also plays an important role as it stops the communication between the other departments of the organization. You should create a multiple VLAN in core switch and put each department in separate VLAN. This helps in stopping the communication of inter departments and the logical segmentation can be created among the organization.
  • It is challenging to segment the moving users (Laptop) so in this case MAC binding for each users should be done.
  • Implement the proper Antivirus which can be controlled by centralized server. Because only Virus Scanning of laptops on daily basis is not sufficient. Virus infection through unwanted Website should be controlled/stop. It should also have ability to stop the data leaking by physical source.
  • User data needs to be very confidential as by usage of some software, data can be tracked easily. So to avoid this situation VPN should be used in public network so that all the data will flow through your home network in secure way and cannot be tracked easily. 2 factor authentication process is a Major Key of safety which can meet by unique SSL certificate, Passwords, User Id.

Why attack affect us?

The virus like ransomware has mass effect on the system of organization because the construction of the network or the implementation of security software is in same Prototype. Also, Limitation in innovative Idea like local network is built on fixed IP range or some common range of IPs.

 

Virus/Attacks should be taken on positive note as this give you the idea to develop the security policy and unique network strategy. Appreciate the talent of your colleague as hacker, which will help you in gap analysis and know mind set of Hacker and the target points. Small changes make big difference.

 

3 WEIRD WAYS THAT YOU COULD GET HACKED SOON!

Let me begin with a story. This is true story. However, I will be changing the names of people and the organization(s) affected, because what I am about to say is wildly embarrassing to any company that has a ‘passable’ Information Security practice.
John works at an e-payment company. He handles customer information, payment queries and settlement information. He uses a company issued laptop to access an internal portal, where he goes about his work on a daily basis. One day, John receives an email called “Proposed Pay Hike” or something with an attachment. He opens up the attachment, finds nothing, but ignores it and goes about his work. A few months later, his company is the victim of a data breach, where massive sums of money have been transferred to unknown accounts. Turns out that John and several colleagues were victims of an attack.
The attackers used phishing to deliver emails laced with malware. This malware exploited weaknesses in John’s browser and regularly shipped out pictures and video feeds of John’s activities on a regular basis. John’s company with several others have been victims of this massive malware-driven cyberattack that has cost billions of dollars for companies all over the world.
What you heard above, is not a story that is new to the world of Information Security. If you read about the Carbanak Attacks and the recent Dyre Wolf attack, you would find that these attacks (human oriented, persistent threats or HOPTs as I call them) are rising. They are everywhere and they seem to manifest in some of the most secure companies in the world.
Let’s examine the story again, with a slightly different perspective. John is a critical member of the epayments division. His company has invested millions of dollars in Network Security, Application Security, Data Leakage Prevention. In fact, once when John tried to send some information by mistake to a service provider, the Data Leakage prevention engine red-flagged it and dropped the message. Pretty Secure, eh?
However, John is a finance guy. He’s typically not exposed to high-tech, high-security stuff. He gets trained once a year on password security, physical security (mostly about USB sticks and the like), phishing (stuff like the Nigerian scams, Tax scams and so on). The training is the same every year. He needs to pass a security quiz, which is pretty much the same thing every year. He passes of course, with flying colours. His HR manager gives him (and most others) a Green Tick for Security Awareness Training.
John also uses a Windows 7 Laptop and is forced to use IE8 because his application does not work on any other browser. John uses Firefox or Chrome on his home PC and hates using IE8, but has no choice. Its slow and clunky, but that would have to suffice if he has to work on his applications.
Now, hopefully you would have started to see some red flags with this story. In my opinion, this “secure” epayments company was asking to get hacked. They, in all likelihood, “looked” really secure, but had clearly forgotten some weird “small things” that led to their eventual downfall. The unfortunate thing here is that even after the breach, this company would probably forget about the small things that actually caused this breach and focus on central, non-human preventive controls that would straitjacket the wrong entities and cause more damage than good. Anyway, here are the 3 weird things that John’s company should be doing to prevent breaches like this from happening more often.
Browsers
When I ask CIOs, CISOs, etc to explain their browser security strategy, they usually draw a blank. Their expression is one of “Why the fudge should I bother about the browser? Thats what people use to surf websites. I am more worried about the OS. Thats where all the attacks happen.” At that point, my eyes cannot help but roll relentlessly and my incredulity is writ large on my face. Most of the “security conscious companies” that I have spoken with or sometimes consulted with use IE7 or IE8, and some even (gasp) IE6. Their only ostensible reason for doing so is that IE can be controlled via the Active Directory. Not to pick on IE or anything, but my point here is simple. Your Browser is the new OS.
Your employees use web-based (internet, intranet) applications way more than anything in a  modern environment. So, its only natural that you must take browser security seriously, very seriously. Things like malicious extensions, Backdoor Javascript, Browser hooking techniques are now the raison d’être of the cybercriminals. All major human-centric attacks target the browser at some level.
In addition, modern browsers come with a host of security features including Phishing protection, Cross Site Scripting prevention, etc. If I may say so myself, Chrome’s Phishing protection is pretty top notch *(not a product plug). To add to all this, several browsers can be administered centrally with Active Directory. I certainly know that Chroma and Firefox can.
Browser Security is one of those weird, but highly probable ways you can get pwned!
Human Security
I rail against the current state of Security Awareness Training, every.chance.I.get. It sucks. If it were less important, I wouldn’t have bothered, but its exactly the opposite. Its exceedingly important. Most training I see in companies today follows a standard pattern. 1) Set Strong Passwords 2) Maintain a Clear Desk and Clear Screen 3) Report dodgy people or incidents to your management 4) Stay away from phishing emails like the Nigerian seamsters or other pretty unsubtle things like Internet Banner ads (which are so 90s) and for financial folks, the all important 5) Anti-Money Laundering.
Companies have equated security awareness training to the school librarian. You have to only see her once a year, during exams. They go out of their way to make it a “checkmark” training that is NOT interesting and NOT important. Its only important because of their “policy” and this can be easily remedied by going through some power points and answering some questions on a quiz. This is depressing. Simply because Information Security incidents are happening all over the world at a furious pace. Including them in the training programs and regularly keeping things interesting is the only way you can hope to protect your company against HOPTs and so on.
So stop looking treating Security Awareness like the Step-sisters treated Cinderella and give it a rejig. You need it. Big time.
 
Detection
The market is rife with talk of Prevention. Everyone from CISOs to Product companies are offering a silver bullet that would prevent this or prevent that. One thing is for certain. Some of the largest companies have been constantly getting hacked over the last few years. Surely, these companies have had some pretty sizeable security budgets. From personal experience, I have seen several companies have massive security budgets and they focus all their energies on acquiring the latest and greatest in preventive control. Two Factor this and Data Leakage that…. Guess what? This has failed. An over-emphasis on prevention has reduced the focus on detection and correction. Imagine trying to do everything to prevent cancer but completely neglect identifying that weird mole on your arm and getting it checked out?
While companies have invested in fancy log management systems and correlation engine, their impetus is to constantly reduce the stress (or Events per second) because preventive technologies should be “doing their job” anyway. If John’s company had invested more time, resources and efforts in endpoint and network *detection* they would have noticed weird image and video streams transmitted on egress to systems outside their network. If they had identified normal and abnormal behaviours, they could have profiled, detected and cut off possibilities for further incursions. An over-emphasis on prevention makes a company fragile to newer and more unconventional attacks. Signature based prevention systems will turn a blind eye to shell code that “looks different” from the typical stuff it sees. Attacks like Carbanak and Dyre Wolf are anything but conventional, but to confuse them for “sophisticated” might be a stretch.
Prevention is great, but detecting attacks is equally important.

3 REASONS WHY INFORMATION SECURITY DEMANDS A “BOARD’S EYE” VIEW

It was two weeks ago. I was chatting with the CFO of a major automobile manufacturing company. This is one of the largest companies in the world. I was waxing eloquent about new-age attacks that would affect companies like theirs. He listened intently for a time, flummoxed at how attackers were using every tool at their disposal to steal money and data from companies like his, all around the world. He even admitted that his company had been a victim of a recent spear-phishing attack. It was an interesting discussion till he brought up the worlds “Wow, this is pretty great, but security I guess would be an IT thing…. That’s what happens at our place. Security is IT and we never poke our head into that”, chuckling at his own joke. It was then that something hit me, and hard. Security is still considered an IT problem and NOT a business problem. Information Security, Hacking and Cyber-threats are just below black magic and worldwide apocalypse in the list of things that non-IT people don’t quite comprehend. Surely, I felt, this CFO should know of Information Security as any other management focus area within the company like sales, marketing, HR and so on. Sadly, that was not to be. I prodded “Tell me something, you’re the member of your company’s Board of Directors, how often does Data Security feature in those meetings?” He thought for a while and then shook his head “Not that I can think of. We discuss some IT initiatives like SAP integration and so on, but not security, to my knowledge, no.”

At this point I realized one unequivocal truth about our industry. It was a painful one. Information Security is perceived to be less about Information and more about IT. Information Security unfortunately does not have much of a place in the boardroom of the average company. Here are three reasons why I think Information Security must occupy an important seat at your next boardroom discussion.

  1. Every Business == IT Business

I hate to begin with clichés, but this one is very apt. IT fuels the modern business. It runs production, marketing, purchasing, sales, and literally any other operation that you can think of. Like it or not, your business runs on IT and IT components and applications can be compromised. Therefore, Information Security is/should be a paramount concern. It is literally as bad as a hospital running out of doctors to perform treatments or a manufacturing company running out of raw material. During an assessment, I was speaking to the CISO of a major Oil and Gas company who said “You know what, nobody cares about Information Security. Think about it. If we don’t use IT tomorrow, they’ll just go back to pen and paper.” I thought that was a silly statement. Pen and paper? Really? That company had automated and integrated every bit of their upstream operations with ICS systems, ERPs and so on. If they had a Data breach, it would have been a long (really long) time for them to go back to “pen and paper” and their operations would have seriously seriously slowed down. Don’t kid yourself. Every business is in the IT business. And in the IT Business, any business can/probably would get hacked. Deal with it.

  1. Security Risk is a subset of Operational Risk

Every enterprise today wants to be on top of “Operational Risk”. Most boards and CXOs spend an immense amount of time and energy understanding and attempting to be on top of Operational Risk, a.k.a “What if” analysis. Expensive consultants are engaged to provide fancy reports with graphs on “Operational Risk”. Not including Information Security Risk in that mix is a recipe for disaster. For example, you are an automobile manufacturer who’s developing a new car that is revolutionary and would change the market forever. Well, you have probably analyzed operational risk to death. But what about that designer who is working on the core design of the vehicle receiving a phishing email from a competitor and exposing your critical business secrets to your competition, consequently blowing your chances of being a market leader. Information is power. Information Security is a way of protecting that power. You cannot afford to ignore it, especially in the boardroom.

  1. Security is a Keystone Habit

According to Charles Duhigg’s well-researched book “The Power of Habit”, Keystone habits are habits that cause a chain reaction. A Keystone Habit is a single habit that can affect change across different systems, using a series of “small-wins” and energy across the system. He uses a compelling of how Alcoa’s legendary CEO Paul O’Neil was able to convert Alcoa (The Aluminum Corporation of America), not by traditional methods like cost cutting and innovative products, but by focusing on one-single habit, Worker Safety. Using this Keystone Habit, Alcoa (where workers handled molten metal and dangerous substances) not only became a Zero-Injury workplace but also became a profit-making machine thanks to the single Keystone Habit of Worker safety.

Information Security has a very similar nature. I have seen companies that install strong technology, process and people controls from an Information Security Standpoint grow into serious profit-making machines that are long-standing and durable. Security, if implemented correctly instills a sense of discipline and culture that can have huge ripple benefits to the company on the whole. While most people (incorrectly) view Information Security as a cost-center and a “support” department. I believe that gelling information security into the organization’s culture correctly and deliberately can have huge productivity and efficiency rewards for the organization.

THE 3 KINDS OF PEOPLE TO HAVE ON YOUR INFOSEC TEAM

In some companies, Information Security and Risk consists of a large team of hundreds of professionals handling security and compliance risks across many countries. In others, Information Security is one of the many responsibilities of an IT Manager who handles everything from IT management, staffing and Project Implementation. Either way, Information Security is a critical facet of the modern enterprise that is riven with uncertainty and a growing list of possible threats. Building a solid information security team (own or outsourced) is critical.

I see everywhere, that people are facing a serious challenge with information security team. In my opinion, it’s not they don’t know how to get the right candidates, it’s that they don’t know what to look for in candidates when they are building their information security teams. According to the legendary author and eternal student of business, Jim Collins, its more important to get the right people on the bus and get these people to the right seats, rather than focus on what these people need to do. Good people, in the right mix tend to produce good – great results given the right environment.

Several CIOs and CISOs ask me that single question “What kind of people do I need managing our Information Security Team?” Well, that’s what I am about to address. I believe that these 3 types of people are key to making any information security team, super-successful.

The Tinkerer
The Tinkerer is my favorite character in any good Information Security Team. The Tinkerer essentially wrestles with Technical security issues. She sets up that SIEM product all on her own and starts monitoring events inside the network. She’s able to cull through complex application or system logs and identifies the root cause of a security incident. She’s able to script up a quick tool in Python/Ruby while performing an internal penetration test. She’s what we would all call, a Geek. The Tinkerer is one who possesses a wide and deep array of technical skills that she uses in information security. The Tinkerer is hungry for technology. She has passionate conversations with the technology teams and seems to have that unlimited energy and drive in “getting his/her hands dirty” with technology implementation. The Tinkerer is an invaluable asset to any Information
Security Team because they possesses the technical skills to cut through the crap and dig deep into any technical/technology oriented solution. I have observed that Tinkerers are great with Unix command line, probably have some scripting skills and have implemented just about any open source product you can think of.

The reasons why Tinkerers are so important:
• They do not just “listen to” vendors. They actively engage and get to the bottom of the vendor’s technology. They provide solutions often, when vendors can’t.
• They save you a ton of money. Don’t have the budget for that File Integrity Monitoring solution? Not to worry, the Tinkerer will scour through the Internet and would probably implement an open source solution with the same effect.
• Their passion would drive technology security. The Tinkerer is able to engage with ease with external penetration testers, internal penetration testers, network security personnel and application personnel. The Tinkerer is able to speak all of these diverse dialects with ease and ensure that security (atleast technically) is a top priority.

The Processifier
The Processifier is a unique, un-glamorous but highly important role in Information Security Management. Every strong Information Security team must rely on process, procedures and practices to succeed. This is where the Processifier comes in. The Processifier’s basic job is to streamline Information Security Processes at the company. She ensures that there is a strong process for most information security practices. She creates a strong risk management framework that defines the company’s information security growth year-on-year. She basically ensures that the bedrock of a strong information security practice is in place for the company to implement even when she’s not around. The Processifier is usually the sounding board for sane advice on any security-related practice. She keeps the other information security personnel in check by ensuring quality of standards and processes.

The reasons why Processifiers are so important:
• They create the foundation for a strong Information Security Practice. They create the practices, processes and documentation for the Information Security Practice, which is extremely important from a long-term perspective.
• The Processifiers provide the quality and consistency parameters for the Information Security Team to conduct its activities all through the year.
• The Processifier also handles initiatives like Security Awareness and Training that
is non-negotiable for a Security conscious company.

The Prophet
The Prophet is a unique role between business and information security. The Prophet is an Information Security Professional with a keen eye on the business. While the Processifier creates a risk management framework and the Tinkerer is technically adept, The Prophet’s job is to ensure that all of this applies and makes sense to the business. Business Risk is the Prophet’s business. She is the ultimate mediator between management and security scuffles. She advises the information security team on changing business risks and perceptions. She has the right connections to the right stakeholders inside and outside the business to provide Information Security with a unique perspective. She ensures that Information Security delivers immense business value and makes it
known. The Prophet is like the ultimate fixer for businesses and information security
teams because she can speak both tongues equally well.

The reasons why Prophets are so important:
• Popular perception is “Management is always at odds with Information Security”. With the prophet, management and information security are partners.
• Sometimes, Information Security tends to get lost in controls and technology. The Prophet is the essential element that points them in the most important direction of business risk.
• Prophets ensure that Management and Information Security meet in the middle. They are the diplomats of the security world, constantly ensure that the tug of war between these two diverse areas does not cause the rope in the middle to tear or break.

Conclusion
These people (listed above) do not always have to be different people. As a single IT Manager, you might have to wear all these hats. However, having the right mix of the Tinkerers, Prophets and Processifiers, your Information Security should be in great shape.