EC-Council Appointed Universitas Mercu Buana as Academic partner Jakarta, May 21st, 2014


EC-Council has strengthened the partnership with Faculty of Computer Science of Universitas Mercu Buana in Indonesia. EC-Council was appointed Universitas Mercu Buana as academic partner to implement IT Security knowledge for their current students.
At the left Mr. Bambang Hariyanto as a Dean of Faculty of Information Technology, follow by Mr. Arisetyanto Nugroho as Rector of Universitas Mercu Buana and Mr. Sean Lim as Vice President of EC-Council at the center and at the right end is Mr. Muhammad Misni as Academic member of University of Mercu Buana

‘IT security becoming a strong knowledge for students to enter global competition in 2015 onward’ says Mr. Arisetyanto Nugroho as Rector of Universitas Mercu Buana and Mr. Bambang Hariyanto as Dean of Universitas Mercu Buana.

Universitas Mercu Buana is one of the universities in Indonesia who has forward thinking on building their students competency to be ready enter industries faster . University provide them the high qualification in IT Security and make their graduate easily get high paying job.
Universitas Mercu Buana will continues work with EC-Council on the awareness, sharing knowledge and implement IT security knowledge for their students.

It was an honor for EC-Council to help education sector in Indonesia to build strong knowledge for their students in IT Security, to help their graduate getting high qualification in industries world wide. As end of the result give their students a chance to high employed by corporation and get high paying job.

This event was follow with a short seminar at their lovely auditorium and attend by more than 400 students. In this seminar we bring the issue of How IT Security equip them becoming a good talent to get high paying job in the world. They are very enthusias to listen and give tons of question to know more details about IT Security career advantage.

About Universitas Mercu Buana
Universitas Mercu Buana was established on October 22nd, 1985 by a Renowned Business owner H. Probosutedjo who has experience as a lecture at Taman Siswa Pematang Siantar, Sumatera Utara Currently they growth by having 4 campus and 6 Faculties with more than 20,000 active students body.
Address: Universitas Mercu Buana, Kampus A – Jl. Meruya Selatan, Kebun Jeruk – Jakarta Barat Phone: 021-5840816 (hunting), 5840816 (ext.2751), Fax: 021-5840815. For more information visit http://www.mercubuana.ac.id

About EC-Council
EC Council (International Council of E-Commerce Consultants) is one of the world’s largest certification bodies for information security professionals. EC Council is a member-based organization that certifies individuals, institution and company in various information security and e-business skills. Over 500 universities globally have been merging this unique IT Security qualification into their curriculum. Certified by the American National Standards Institute to meet its ANSI 17024 standard in 2012 has empowered EC Council to growth more powerful especially to collaborate with universities for their better IT student career. EC-Council is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs, and many other programs. We offered this program in over 92 countries and over have trained over 120,000 & certified more than 90,000 security professionals through a training network of over 500 training partners globally. For more information, visit www.eccouncil.org or email to indomarketing@eccouncil.org


Overwhelming response at EC-Council IT Security Seminar for Indonesian Universities Jakarta, May 21st, 2014,


EC-Council as a world leader in IT Security Certification recently held an exclusive seminar in four universities in Indonesia. The seminar was held continuously at 4 different universities such as Universitas Mercu Buana, Universitas Bina Nusantara, Universitas Multimedia Nusantara, and Universitas Surabaya.

Universitas Mercu Buana becomes our first home of seminar. Held at their lovely auditorium attended by more than 400 IT students and was very keen and enthusiasm to listen the sharing knowledge from Vice President of EC-Council, Mr. Sean Lim and one of Certified EC-Council Instructor Mr. Kristian Oktavianus with more than 20 years experience in IT.

The Big Step has made by Universitas Mercu Buana as they strengthen the partnership with EC-Council as Academic Partner and joined among 500 universities globally all around the world that deliver IT security qualification in their curriculum and prepare their students to have a chance get high paying job in industry globally.

Mr. Arisetyanto Nugroho as Rector of Universitas Mercu Buana and Mr. Bambang Hariyanto as Dean of Faculty of Information Technology Universitas Mercu Buana says ‘ IT Security is the pathway for the students graduate to get high paying jobs globally, partnership with EC-Council will be strengthen their knowledge and proven to the industry that their graduate are qualified.

Universitas Bina Nusantara Jakarta in association with HIMSISINFO and Faculty of Computer Science organized the exclusive seminar for our next home. More than 400 IT students attended the seminar from 2 different faculties, Faculty of Information Systems Management and Computer Science. Their student looks enthusiasm to listen and give a lot of questions how they started to learn in IT security. They have admitted that this kind of seminar should be held more intensively, because IT student is eager to learn and know further about the IT Security knowledge applied in industries. Most of students are having a vision to get a job globally. And they realize that they need to have a uniqueness of their qualification to compete with foreign graduates.

Different story when we arrived at Universitas Multimedia Nusantara in BSD, Serpong. Housed in their modern auditorium with a capacity of 200 IT Students who participate in the seminar having a great enthusiasm with interspersed questions and answers during the seminar. This seminar has aroused their IT student’s interest to dig deeper into the importance and uniqueness of IT Security for better IT careers. As we have seen this big wave of interest, Universitas Multimedia Nusantara has put their concern about how to merge our curriculum into their curriculum. As mention by Vice Rector, Prof Dr. Muliawati G. Siswanto, M.Eng.Sc ‘IT Security is one of the skills that they need to develop more’

At last, University of Surabaya another EC-Council’s exclusive seminar was held at Surabaya city. Tin Tin Hadijanto as EC-Council Indonesia Country Manager has brought a point of view on building a career advantage in IT Security. TheThis seminar bring next level of mindset of how IT Security becoming a unique qualification and could bring great impact for real-world IT business and chances for high-paying job is not just a dream for their students.
The key message from Miss Lisana as Member of faculty of Universitas Surabaya, ‘ Students needs additional knowledge in practical and focus profession, make them different from others 30.000 graduates every year.

It was an honor for EC-Council to help education sector to build strong knowledge for their students, to help the graduate getting unique qualification, unique job in unique industries world wide. EC-Council will continue to carry out similar activities in some future event with other universites in Indonesia. IT Security has become one of the most demand skill globally and becoming an important point in the joints of modern business life as a cog in a role behind the IT continuity at each institution. This exclusive seminar become one of our main agenda in 2014 for only selected Indonesia universities. Are you one of them that ready to become our part of world-wide recognized unique qualifications university in IT security?

About EC-Council
EC Council (International Council of E-Commerce Consultants) is one of the world’s largest certification bodies for information security professionals. EC Council is a member-based organization that certifies individuals, institution and company in various information security and e-business skills. Over 500 universities globally have been merging this unique IT Security qualification into their curriculum. Certified by the American National Standards Institute to meet its ANSI 17024 standard in 2012 has empowered EC Council to growth more powerful especially to collaborate with universities for their better IT student career. EC-Council is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs, and many other programs. We offered this program in over 92 countries and over have trained over 120,000 & certified more than 90,000 security professionals through a training network of over 500 training partners globally. For more information, visit www.eccouncil.org or email to indomarketing@eccouncil.org


EC-Council takes the privacy and confidentiality of their customers very seriously.

On Saturday, February 22nd, 2014, the ICANN-accredited domain registrar of EC-Council was compromised and as a result, EC-Council suffered a DNS Poisoning attack, which resulted in their website being defaced.  EC-Council launched a comprehensive investigation and began work to regain control immediately.

As the attack happened over the weekend, EC-Council’s security team had challenges reaching the appropriate domain registrar personnel to address the situation.  As a result, the hacker was able to maintain control of the registrar’s system and the EC-Council domain during this time period.  The domain registrar in question was unable to secure their servers to a level desired by EC-Council and during this period, the domain registrar was exposed at least 2 more times.  As such, EC-Council sustained an outage while moving the entire domain to another provider.  Simultaneously, the EC-Council security team instituted additional countermeasures to other EC-Council systems within their direct control and began strengthening other security measures organization-wide.

EC-Council uses a cloud service provider for enterprise email. Once the domain privilege was attained, the hacker then issued a password reset request to the email service provider.  This circumvented EC-Council’s best practices of using complex passwords and 2-factor authentication.

EC-Council has informed the service provider of this password reset policy vulnerability and are hopeful that they have already rectified it for the benefit of the IT community in general.

With administrative access to the email service provider, the hacker was able to compromise a small number of email accounts before the EC-Council security team was able to respond to the breach. This resulted in unauthorized access to messages in those specific email boxes for a short duration of time. The potentially compromised accounts represent approximately 2% of their customer base.

As the investigation is ongoing, EC-Council was unable to ascertain if any data was compromised in these accounts. However, as a precautionary measure, they are writing to notify customers that have sent any personally identifiable information to EC-Council via e-mail that there is a possibility that these may have been exposed through email.  No credit card data was compromised. As a precaution, EC-Council strongly recommends that their affected customers remain vigilant for any unauthorized use of the information shared with EC-Council and that they alert EC-Council if they find any reason to suspect any.

EC-Council strives to set a very high bar for how they serve their community, and this incident is upsetting. EC-Council has since transferred their domain to another registrar, changed policies on management of personal information, improved existing data retention policies, introduced two-factor authentication for member portals, and improved security procedures and systems.  They will continue to do more in the weeks and months to come.

EC-Council has been working closely with law enforcement agencies across 3 continents.  EC-Council is doing everything in their power to prevent this from happening again and will leverage the full extent of international law to prosecute the individual responsible.

EC-Council is a vibrant community like no other, and value their customers. Please let them know if you have any questions, comments, or concerns. You can reach them at accountsecurity@eccouncil.org.


Biometrics: a modern security enabler?

 - By Vic Mankotia, VP – Solution Strategy, APAC & Japan, CA Technologies.

With enterprise mobility growing at a fast pace, the trend of BYOD is fast catching up across organizations as employees now prefer to bring their own devices to work. As a result, organizations are increasingly encouraging the trend of BYOD to enable better collaboration across internal and external stakeholders to gain better productivity amongst employees. With this trend, mobility is set to bring in paradigm shift as we look at managing millions devices. This revolution has taken most enterprises by storm, almost replacing the traditional enterprise model where an employee used to come to work and use company’s IT Infrastructure to work. Over time, this has given rise to new technologically advanced workforces, thus reshaping the way IT is purchased, managed, delivered, and secured.

Further encouraging BYOD are factors like wide network connectivity, continued access to files and emails, variety of mobile apps and solutions designed for the enterprise and last but not the least, the growth of social media. Personal devices allow employees to access the data whenever required, making it just a phone key away to gain enhanced capabilities. However, the growing trend of BYOD is diminishing the differences between personal and enterprise data. Though BYOD has various advantages it is accompanied by security threats to data. Due to access of work-related spreadsheets, emails, calendars and other files on personal devices, the security of data has been a major concern. With the increase in cyber-attacks enterprises are at huge risk, making the information security a major concern for enterprises.

Due to the mission critical data present on mobile devices it has become important to secure it. For years, passwords have been one of the most preferred ways to secure data digitally. But, as the modern information security threats are increasing, the lacunas in using passwords are becoming apparent. A recent hacking incident with one of the leading online note-taking service compelled the service provider to reset 50 million passwords. Using a basic password or a four digit PIN is no longer enough to protect your device or data. Multi Factor Authentication is needed for many applications and access.

Biometrics offers considerable security benefits to the consumer – including better protection from identity theft, data theft, and possibly even financial fraud. It’s significantly more secure than using a basic password which is vulnerable to force attacks. For instance, India is witnessing growing adoption of phone banking due to the fact that it offers significant level of convenience. However, the mission critical data can be easily compromised in the wake of any improper security measures.
The use of the biological markers like fingerprints, faces and irises to identify people is rapidly moving from science fiction to reality. Apple’s latest iPhone, which went on sale few days back, can be unlocked with a fingerprint. With Apple 5s introducing this feature, a tremendous momentum was expected to add to this already growing industry.

First and foremost, the users are threat to biometric authentication. The individuals overly trust internet applications with facial or other biometrics, readily acquired via multi-nodal interfaces. A person’s biometrics can’t be kept secret and they can’t be retracted. Since the fingerprint is one password you leave around everywhere and it needs to be further authenticated, one should not use that print pattern as a password, which you leave around in public places, every single day. ‘Trust’ is a rare currency and in the event of finger prints replacing passwords, we are calling for threats and disasters. It is possible to steal or copy a person’s biometrics. Experts have said that fingerprints and other indicators can be copied, giving hackers and thieves access to private information. And once compromised, fingerprints cannot be reset, like passwords.
Consumers should understand that Identity is the new Perimeter. It is also an individual’s responsibility to ensure that this perimeter is NOT breached. Right people should have access to the right information.

The vulnerability of this system was recently seen with the hacking of the iPhone 5s. There is another risk with biometrics if you think long term. If Apple or some other biometric scanning company allows websites to validate you with a biometric scanner, then in the future you could sign into a no. of accounts with your finger print. If that fingerprint template is stolen by a hacker then they could use it to break into other accounts as well. Biometric system also faces threats from applications. Biometric engines for the various biometrics are available not just through vendors but via open source. That says a lot about whether we intend to use biometrics as a ‘toy’ or as a real security measure; and, whether the established privacy and use policies are more than just fancy frills. Another threat is system vulnerabilities and weaknesses at the system component level and/or during transmission that could result in spoofing, data insertions, score manipulation, database compromise, hill climbing and threshold manipulation.

In enterprises, the major threat to biometrics authentication is one at the organization level associated with assuring an identity during enrollment. How do we know that the user being enrolled is the authentic user? For higher security applications, rigorous policies and procedures are needed for the enrollment assurance. Industry guidelines or regulations for the integrity of an enrollment process for authentication of the user prior to the acceptance of biometric enrollment credentials should be followed.

Biometrics is being adopted by various sectors like homeland security, healthcare, automotive and leading companies like Facebook are also adding facial recognition to their platform. As the consumers lives are moving from offline to the realm of digital technologies, biometrics is set to become the face of web authentication. Today, a consumer might require unique 11 passwords for everything from online banking to social media, adding the stress to build secured gateways.

CA Advanced Authentication is a real-time, layered security solution that is delivered in an authentication-as-a-service format. The use of authentication services eliminates the need for the typical infrastructure, maintenance and upgrade tasks while providing a flexible, scalable and reliable solution that reduces the risk of inappropriate access or fraud. If CA Advanced Authentication is used along with biometrics then devices can be safer. Also there is CA SiteMinder which provides Single Sign-On (SSO) and Web access management to authenticate users and control access to Web applications and portals. It enables the secure delivery of essential information. CA SiteMinder as the capability to do biometric authentication with a validated partner ensuring better safety.

Even though biometrics is the most widely suggested replacement for passwords, it also comes with its own challenges. Biometric systems are seductive, but the reality isn’t that simple. They have complicated security properties. But biometrics, if paired with other authentication processes offer better protection and security to customers.


Information Security – Paradigm shift in thinking is the key

- By Dinesh K. Pillai, CEO, Mahindra Special Services.

Today the media is flooded with stories of hacking, data loss, phishing, trojans etc. These breaches are wide-spread even in organizations, both government and private, local or MNC, which are certified with various certifications. There are several figures in USD Bn attributed to these kinds of attacks quoted by various research organizations, though the veracity of each figure can be questioned. Unfortunately, the organizations are yet to understand the impact of information security breach on its brand, competitive advantage and legal issues because these are generally intangible and hence difficult to measure.  The belief that a certification is good enough to protect information is the biggest fallacy of the organizations. Lack of focus on other critical domains when we talk about protecting information makes it all the more difficult to achieve the objective.

Information risk management: Perception vs. Reality
Let us look at the classical way of risk management in any organization. The belief of top management about risk is focused around financial and operational risks, IT risks and other compliance related areas. Hence lots of investments in terms of money and resources are made to strengthen the above areas, which either is required for survival or for compliance to various laws.  Interestingly the top management measures every investment in business with parameters like the ROI for example. However, there are no parameters available to measure the performance of the investments in security and risk. The management looks at audit reports as indicator(s) of how the security investments are performing. Herein lies the biggest challenge that the organization(s) need to overcome if they really want to be secure.  Audits are definitely not the real indicator of the performance of the Risk Management Framework. Let me tell you why.

The compliance and audit reports create a false sense of security in the minds of top management, where as the reality can be diametrically opposite. This perception can lead to catastrophic consequences. It is essential that the organization calibrate the gap between perception and reality as far as the Information Risk Management is concerned.

Critical Factors, But Ignored
Now even if we assume that the IT security controls are good enough in an organization, it does not imply that the information security is as per the expectations since we tend to generally overlook some critical areas like physical access to information, processes and human capital.

Let us look at physical access. Most of us believe that the physical security is a ritual that we do at the main point of entry.. And once a person crosses it, he is assumed to be a trusted person and is pretty much free to move around in most of the areas in the facility.  Think about an employee who is given an authorized access. Do we ever check the physical access that he has within the office? The same information, which is well protected in IT space, is easily available within the office, which an employee or a partner can easily access. There are lots of unlocked workstations in organizations that facilitate unauthorized access to data in the IT systems.  An access to a switch or a router can bring the complete network down. Then what is point is investing in IT security, if the same information is easily accessible.  Don’t you think it is an investment giving no return?

The other area worth mentioning is that of the process gaps, that when get aligned creates a path for the information leakage. The challenge here is the top down approach in the process audits. In this method, the audit usually throws up some gaps, which may be minor in nature. However people with enough motivation and who have access to information systems will know the gaps in every process and they will align these gaps to create the data breach or fraud. This explains the increased instances of data breach that is getting reported now.

The major risk in information security is the low awareness levels of people with respect to the value of information or the basic hygiene that they need to practice when handling information. Most of the time, attackers exploit the human element to breach into highly secured infrastructure. However we prefer to wish away this risk stating the cultural issues in putting control around the Human Capital.

Change the thinking – Bring in Attacker’s perspective
Let us figure out how we can improve our defense levels in an Information Security Framework.  We need to bring attacker’s perspective into audit.

The first and foremost requirement is to move away from the Compliance Audit to Effectiveness Audit. In the effectiveness assessment, instead of checking the compliance, the audit team should try to break the control in whatever manner it can be done. The aim should be to break the control identifying the weakest link. It can be a minor process gap, technology vulnerability and human failure or a combination of these factors that can result in a breach. In this method, you are testing the information ecosystem from a 360-degree perspective rather than as stand alone process.

Accountability is one issue that needs focus if the framework needs to be implemented properly. In most cases, the accountability of the framework implementation rests with the IT or the Admin team, where-as the ownership should lie with the business organization. There is generally a lack of interest in the business organization towards the implementation of the information security framework because the normal audit reports only indicate the gaps, not its business impact. If we need the active presentation of business in the information security initiatives, then business heads should be shown what they understand i.e. MONEY. Yes, we need to show the business heads the impact of the current state in revenue terms either as a financial loss or competitive advantage impact. To do this, we need to move beyond the normal audit and exploit the gaps to capture the business impact and present this as the audit report. Once they see the impact that their business will have, it is just natural that they give mindshare and commitment to the implementation of the framework.

Conclusion
To conclude, the only way Information Security Implementation can improve and sustain is when there is an attempt to move away from the contemporary compliance audit to effectiveness audit. Along with this, we need to highlight to the Leadership and top management, the business impact of the weakness in the system(s) so as to ensure that the Framework Implementation is driven from the CXO level with a firm commitment.

 


WHY APPSEC (APPLICATION SECURITY) WON’T ALWAYS BAIL YOU OUT OF APPLICATION BASED RISKS?

- Dhananjay C. Rokde, Global Head, Systems Engineering, India and SAARC, Cox & Kings
 

It is very typical of organizations to perform Web Application (WebApp) Security Assessments not only before their new applications go-livebut also to conduct periodic assessments of their existing applications. These assessments are known by all sorts of aliases like Application Penetration Testing (App PenTest), Ethical Application Hacking etc. For those companies that lack the internal core competency of AppSec, they often resort to outsourcing this activity to competent 3rd party players in the market.

The CXO function’s expectations post the AppSec assessment is often treated as an additional or ancillary investment to the core development expenditure. The CxO function expects air-tight security within the application after such an assessment. Once the development teams start mitigating actions; one can often hear statements filled with hyper-expectations like ‘the application should now become un-hackable’ or ‘no one break the application now & it can go public’.

Despite these assessments, AppSec tested applications are still not secure. This is due to the fact that in most of the cases, applications undergo assessments when they are either almost ready for production or already in production. This is against the spirit of AppSec to begin with, as AppSec is a process that should ideally be invoked right at the inception of the applications SDLC (software development life cycle). Very rarely are AppSec resources involved during the requirement analysis or the finalization of the design. And therefore the assessment that happens (post development) is more of a corrective activity rather than a proactive one. Flaws and vulnerabilities that could have been killed right at the beginning; are most often patched (with quick hacks & not actual AppSec best practices) after the application is already in production.
AppSec professionals are often expected to perform miracles & mitigate flaws that are often connected with the lifelines of the application. While business pressure will always compel the teams to have applications up & running; it is never an easy situation for any CISO to let such applications fly without the proper checks and balances. Here are a few crucial factors that every CISO needs to consider before signing-off applications & eliminating the blind reliance on AppSec assessments. Although AppSec assessments are vital they can never address the people, processes & technology completely.

Lack of STP (Straight-Through-Processing) & Manual Hand-offs
AppSec can never be held responsible processes that are offline or that are performed manually. While AppSec testers can test for data validation; they can never test for business rules. It is a common practice in several organizations, to have online workflows that detach themselves into (smaller or multiple) manual tasks. These could include physical verification / inspection, offline approvals or matching records with another system. Whenever there is manual hand-off; the application has to rely on the validation of the incoming data. This data can never be tested AppSec resources. This is simply because Applications only control the use of resources granted to them, and not which resources are granted to them.

Intentional disruption of maker-checker mechanism
One of the most observed practice with corporate is the dissolution of the maker-checker mechanism in the name of ease of use & time-saving. While such business rules may save some time; this is definitely the worst practice to adopt. A typical request-approval workflow works on the basis of the requestor (the maker) posting a request & some approver (checker) taking a decision to approve, reject or hold the request. This workflow is generally disrupted by adding functionalities like the ‘checker being able to modify the request’ or the ‘checker being able to delete the request’. In such a scenario no there is no validation or approval on the action taken by the checker & the very essence of the maker-checker mechanism is lost. AppSec can only detect flaws (if any) in the transfer of control from the maker to the checker; But it can never challenge the business rules or the excess privileges assigned to the checker.

Password Management
Auditing for password management is always a tricky situation for AppSec professionals. While AppSec can always verify password strength, secure password storage & transmission. AppSec not dictate terms on the hard-coding of passwords into application frameworks. The most commonly found password management lacunae are Hard-coding passwords into macros and stored procedures & using a uniform password across the application framework. Because these passwords are hard-coded & difficult to change application development & infrastructure teams often seeks exceptions to ‘never change the passwords of the target systems or databases’.
Besides this; AppSec can also not address the problem of password sharing among the application development teams.

Excessive Super-User privilege abuse
Singular administrative user credentials being used by an entire team for local / remote administration like running backup scripts, routine batch jobs or updating and patching, is one the worst enemies of AppSec. While AppSec assessments revolve around the application components residing on the infrastructure; having multiple super user identities or sharing credentials of administrative users completely defeats the purpose of implementing AppSec controls.
Allowing too many user identities to directly access the application backend, makes access auditing very complicated & this also makes change and incident control very challenging. Questions like ‘who did what & when?’ become very difficult to answer. It is therefore extremely essential to audit & restrict unnecessary access on the infrastructure that hosts the application.

Unauthorized migration of environments
Developers often start development on a sandbox environment (colloquially known as the ‘Dev’ environment). As soon they start progressing on their (software) builds / releases; they often do not port the changes into the UAT (User acceptance testing) or QA (Quality assurance) environments. This is a very common blunder made by many development teams under the pretext of meeting stringent timelines and lack of migration strategy. This causes same build / release to mature on the ‘Dev’ environment itself & the same environment eventually lands up in ‘production mode’.

Before actually starting the AppSec assessment; internal teams must ensure that a clone environment along with the production is ready-at-hand. This decreases the chances of the application becoming unavailable due to unforeseen effects of the assessment. Sometimes the AppSec testers run intrusive checks which have the potential to bring down essential services within the application.

Besides this, a clone QA or UAT environment helps to expedite the vulnerability mitigation process, without any negative business impact.

Excessive dependency of automated scanning tools & services
Most organizations looking to build-up their internal competency towards AppSec, often procure some sort of automated scanning tool or a service. These services are also offered a pay-as-you-use on-demand cloud service. One of the key aspects here is that these tools or services are completely Black-Box. These tools do NOT have the ability to:

1. Understand business rules & workflows.
2. Detect & Interpret ‘logical’ vulnerabilities.
3. Can perform ‘deep crawling’ in sophisticated applications that do not give all the links.
4. Support for JavaScript & Flash based vulnerabilities.

Most often several of the vulnerabilities reported by these tools are false-positives (and worse; sometimes false-negatives, too). A great amount of human effort is required to fine-tune these scanners. Automated scanning can never replace human AppSec professionals; these tools only help to facilitate the assessment.
Based purely on my personal experience, after I saw some interesting results, post some internal NetSec assessments, I can confidently state that NetSec (Network Security) assessment if often better at annihilating WebApps.

The approach of NetSec professionals is very different from the AppSec folks. NetSec pros concentrate on the attack-surface (server infrastructure & communication equipment) rather than getting into the application itself. AppSec & NetSec, both are hot skills in the market and good resources are very hard to find. This is in no way comparison of intellect or level of difficulty of either of the disciplines.

This point can be illustrated with a scenario – – – When an AppSec tester is able to manually verify a privilege escalation, he/she would generally note down the affected module (piece of the application) & rank this risk based on the data that became visible, as a result of running the test. However; this escalation may not necessarily take him any further and could be dead-end. A flaw – nevertheless; but doesn’t result into someone taking over the complete application.

While the AppSec test will conclude in that manner; NetSec pros take this to the next level. They generally don’t rest until they have struck the application really hard. They will peruse this till they find some serious information leakage, an SQLi (SQL injection) that reveals some fascinating data, or any general platform flaw that lets them ‘own’ the entire system. The key difference that is observed here is that while AppSec folks will generally not venture beyond assessing and testing; NetSec pros take the application environment to its breaking-point. This clearly indicates the distinct ideology of the two skill sets.

The argument here is not that if an assessment is better than full-blown PenTest or not; but that sometimes AppSec professionals get mental blinders & that they should freely consult with their NetSec peers for helping them perform successful PenTests.


Dispelling previous myths, a new BYOD culture dawns!

-Sajan Paul, Director, Systems Engineering, India and SAARC Juniper Networks
It is no surprise that employees are becoming more mobile to improve their productivity. More than ever, employees are using their mobile devices – be it in the form of smartphones or tablets – to work from wherever they are and whenever they want. They use these devices to gather quick and easy access to the information and applications they need to do their jobs effectively. As more and more companies are giving employees the freedom to bring their own devices to work, the need to mitigate risk and ensure that company assets are protected has never been so crucial.
The IT infrastructure of the current workplace is complex and requires adherence to the highest standards for performance and uptime. People are accessing data wirelessly through various devices across multiple locations. It is not just employees who need access to the wireless network, third party partners such as vendors and customers also require access. This poses a challenge for CIOs who have to deal with the complexity of securing the network while at the same time, providing easy access.

Every new wireless device brings with it the possibility of malware, viruses and other programs that could damage or disrupt the corporate network. In fact, a recent study by Juniper Networks Mobile Threat Center shows the rapid growth and evolution of mobile malware into a profitable business for attackers. The research found mobile malware threats growing at a rapid rate of 614 percent to 276,259 total malicious apps, demonstrating an exponentially higher cyber criminal interest in exploiting mobile devices. Thus, for all the malicious threats flying around today, a proper security and device management solution must be implemented in order to ensure that sensitive data residing on the network is not compromised. Some of the components that enterprises must keep in mind while implementing a mobile security solution are:

• On-device anti-malware to protect against malicious applications, spyware, infected SD cards and malware-based attacks to the device
• On-device firewall to protect device interfaces
• SSL/VPN clients to effortlessly protect data in transit, and to ensure secure and appropriate network access and authorization
• Centralized remote locate, track, lock, wipe, backup and restore facilities for lost and stolen devices
• Centralized administration to enforce and report on security policies across the entire mobile device population
• Support for all major mobile platforms, including; Google Android, RIM BlackBerry, Apple iOS, Microsoft Windows Mobile, and Nokia Symbian
• Device monitor and control, such as the monitoring of messaging and control of installed applications
• A solution that integrates with network-based technologies, such as network access control (NAC), to ensure the security posture of mobile devices and determine appropriate access rights prior to allowing access to corporate resources
• Management capabilities to enforce security policies, such as mandating the use of PINs/passcodes
• Ability for an administrator to monitor device activity for data leakage and inappropriate use
• Northbound API integration with well known MDM solution providers for heterogeneous environment
• Enforcement capability with federated perimeter firewalls for policy enforcement

By implementing the right BYOD policies, CIOs can confidently grant the employees and third parties easy access to the company’s network, without any concerns of being vulnerable to risk. This benefits both the CIO and the enterprise by increasing productivity and operational efficiency as well as reducing OPEX. When CIOs deploy a robust network that’s capable of securing everything from the device to the core, that not only integrates but enables mobility at scale, plus delivers better communication, collaboration, and productivity, they create a win-win situation for enterprise and employee alike.


PHISHING BIG GAME

 By Limor S. Kessem, Cybercrime and Online Fraud Communications Specialist, RSA

Anyone aware or involved in information security this day and age, would be quick to agree that the threats linked with using the Internet have drastically changed since the early to mid 90’s when the use of this media explosively impacted culture and commerce. Early threats had little way of spreading, the magnitude of users was tiny compared with today’s Internet traffic and the biggest worry was viruses wreaking havoc on peoples’ personal computers.

Online threats have come a long way and can now be held accountable for a growing list of misdeeds and crime. From the pettier financially-driven theft – which actually yields the least of collateral damage – to theft of priceless intellectual property, facilitating business espionage, involvement in disrupting critical infrastructures and penetration of secure systems that can translate into cyber-war; the demons of the digital world impact our finances, our identities and the world as we know it today.
Although more diverse and more advanced than ever, it appears that almost all threats still have that one, rather benign looking gateway… Surprisingly, that gateway is… Phishing! How do most threats connect with Phishing? And why is this older and well-known threat still so prevalent today?

PHISH THE HUMANS – THE ART OF DECEPTION AND PERSUASION
Looking at the short historical timeline of online threats, Phishing can be considered an ‘old threat’. The term Phishing has been discussed as early as 1996; a quick calculation shows that Phishing is 16 years old now, and yet, the world has not been able to rid itself from this phenomenon. Phishing is still one of the top threats on the Internet today; its direct and indirect costs tax the global economy with billions of dollars in fraud damages every year.

RSA reports released early this year show that worldwide losses from Phishing attacks alone amounted to over $520 million during H1 2011; a 43% increase in attack numbers translated into $755 million through H2 2011. The total number of monetary losses was Rs 5760 crore (or $1.28 billion USD globally) with India ranking in the top 5 most targeted countries for phishing attacks, having been robbed of a $38 million USD portion of that pie.

What makes Phishing such a successful threat? In one word: Evolution. They say “The Strongest Survive” and in that sense it appears that Phishing has what it takes—a good DNA and the ability to evolve over time.

At the core of this threat lays a powerful magnet – human emotion. Although Phishing is a 21st century crime, manipulation, deceit and persuasion are not. What makes Phishing successful is the use of social engineering which drives most schemes used by cybercriminals today to manipulate online users into disclosing crucial information. The concept of social engineering  is deeply rooted in many fundamental social psychology principles and thus its perpetual success.

There are several aspects of psychology we can draw-on in understanding how social engineering works, specifically the psychology of persuasion. In social psychology, there are two alternative routes of persuasion that can be employed when attempting to elicit a response from another:

Again, neither is new, that peripheral route to persuasion has been, (and still is), vastly used in confidence scams and in telemarketing fraud.
Because persuasion is such a pervasive component of our lives, it is easy to overlook the external influences affecting us.  When it comes to Phishing, cybercriminals rely on those peripheral routes to persuasion in order to be successful in getting a victim to respond via an emotional reaction to anxiety or excitement.

Every Phishing attack, of all types (Broad spectrum spam, Spear Phishing/ Whaling) begins with a ploy and built-in emotional triggers. Regardless of the method of delivery of the Phishing URL or the e-mail containing the message, the intended user has to be convinced that he needs to go to that page for a reason valid enough to then impart with access credentials and personally identifying information – the sort of data the user already knows is a secret that should only be shared with the trusted source who issued it.

The better ploys add these common human motivators and emotions to the mix:

In terms of numbers and effectiveness of attack ploys, it appears that the most successful campaigns rely on trust. This explains a current and prominent trend of Phishing via social networks or purporting to be a known source, which infallibly yields more victims. Creating that rush of strong emotion within a potential victim repeatedly enables cybercriminals to elicit an immediate response as the victim’s ability to think logically will likely be hindered.

Attack metrics show that the effect of trust-abuse is further enhanced when people receive social engineering messages on their mobile phones, making them respond even faster and be the first to reach newly launched Phishing pages.

Why the mobile phone? Because once again, the user trusts that only those who know him/her have his/her number; moreover, the mobile phone is much more a personal device than say a PC, that others also use at home or at the office.

A recent article about social engineering via social networks, challenging readers with “Can I Get You in 5 Tries?”, showed how banking on trust can be so effective that it ends up convincing the savviest. It appears that none is exempt from the most human downfall – emotionally driven action.

PHISHING AS THE KEY TO PANDORA’S BOX
Phishing is the key to many other web-borne ailments. Although social engineering has always been a major tool in the arsenal of online fraud operators and scammers, it took organizations quite some time to finally realize that Phishing was a serious problem for everyone. Even if the first to feel the crunch was the financial industry, we know today that no entity is safe from the harm and indirect damages a successful Phish can inflict.

Phishing, and more precisely Spear Phishing, as it turns, is the entry point of the worst of threats into an organization’s system. Invariably having to rely on the human factor in order to compromise the security of systems and networks, here too, attackers planning malware infections or even APT schemes use the same methods to get their foot in the door. That ‘door’ attackers are looking for may just be easier to find than ever before. With a Consumerization trend rapidly and quite insidiously  invading everything we do, the ease of Phishing the human is set to increase. Research firm KPMG’s e-Crime Report 2011 cautioned that the “the future of targeted malware delivery is inextricably linked to social networking”.

When it comes to targeted attacks, the problem is magnified since the recipients of Spear Phishing are not your average webmail recipient, but rather individuals working in corporate environments with access to the organization’s resources. Here the threat crosses delivery vectors and simultaneously reaches targets on their mobile devices as well as their corporate email address; criminals know this and rely on it paving the way in.

How likely is it then, for someone inadvertently reading email on a work-issued Blackberry phone to recognize a message in which every step was calculated and made to lead into perfect infiltration? How likely is it that if the message contained an interesting file, the user would open it at that very moment? How much later will the phone be synched with that user’s corporate PC?

Make no mistake – Spear Phishing malware campaigns are premeditated, planned and well organized; attackers use toolkits and advanced sending techniques to ensure the right amount of exposure to the intended recipients.

The correspondence used is not only well articulated, but also makes use of modern filtering evasion techniques to bypass security mechanisms and land in the recipients’ inbox, and not their “Junk” email folders, further augmenting the chances that message will be opened, and its content unleashed on the target system.

If we take for example financial fraud scenarios, where Phishers have become extremely business-oriented, actively looking at methods and measures to ensure maximum profitability of each campaign and carry the same attitude over to the realms of malware in the enterprise, data breaches and infiltrating organizations – here criminals are all that more focused, driven by precise goals and higher stakes/ bottom line profitability motivators.

It is only logical that those who prepare the bait that will open the door take its crucial role very seriously, and thus plan more carefully, rendering the foe harder to detect or dismiss.

Cybercrime is a big threat to India’s large online population, which loses billions to online fraud every year. At the end of the day we see that Phishing is only picking up more speed; attacks are qualitatively better than ever and numbers are increasing every year. At this level sophistication and criminal intent, there is a need to stop these threats. Organizations need to gear up to prevent risks and learn how to mitigate them once the attacker is already in the system.

ABOUT RSA
RSA, The Security Division of EMC, is the premier provider of security, risk and compliance management solutions for business acceleration. RSA helps the world’s leading organizations succeed by solving their most complex and sensitive security challenges. These challenges include managing organizational risk, safeguarding mobile access and collaboration, proving compliance, and securing virtual and cloud environments.
Combining business-critical controls in identity assurance, encryption &
key management, SIEM, Data Loss Prevention and Fraud Protection with industry leading eGRC capabilities and robust consulting services, RSA brings visibility and trust to millions of user identities, the transactions that they perform and the data that is generated. For more information, please visit www.RSA.com and www.EMC.com.


EC- Council empowers Students through a Seminar on Cyber Security

Over 300 students come together for a seminar  on cybersecurity specifically in Penetration Testing and Computer Forensics

Mumbai, August 28th 2013: EC-Council, the world’s leading provider of certifications and training in the information security domain, in association with Zen Technologies, organized an educational seminar on August 28th 2013 at St. Xaviers College, Mumbai and Ramnarian Ruia College, Mumbai.

The seminar was organized to educate the students on the scope of career opportunities and future prospects in the Cyber Security domain- an extremely critical sector currently that is only set to grow in the coming years. The Seminar was conducted by Mr. Haja Mohideen, VP- Technology and Co- Founder, EC-Council.

Regarding this initiative Mr. Akash Agarwal, Country Manager, EC-Council India said “The field of cyber security is growing by leaps and bounds but there is a lack of skilled professionals to meet the growing need. By training and educating the future cyber security professionals while adhering to global requirements and standards, we wish to create an army of cyber warriors to tackle the challenges of tomorrow. India is the software capital of the world and definitely has a vast talent pool which can be trained and educated on the nuances of the fast growing need of the highly skilled cyber security experts.”

According to a recent survey conducted by the International Data Corp, there is a requirement of close to 5 lakh cybersecurity professionals in India. This number is only set to grow and the best step to tackle this issue is to train the professionals of tomorrow and ensure they are qualified to tap the opportunities and tackle the challenges that will be awaiting them.  Jobs in the market range from Penetration Testers, Network Security Specialists, Website Administrators, to Security Analysts.

According to Mr. Abhay Thakkar, CEO, Zen Technologies, “Not only does IT Security offer great career opportunities, but is also necessary for everyone to learn because of the constant threats emerging on the internet every day.”

To provide cyber security training and to fill the gap, EC-Council had recently initiated Code-Uncode, a nationwide competition for students, professionals, colleges and corporates. The competition aims to bring together existing and aspiring security enthusiasts from all fields of the infosec world from the Corporate and government bodies to academic institutions. The preliminary round was completed successfully a few weeks back.

EC-Council backed with their vast experience in global competitions and conferences like Hacker Halted, TakeDownCon and Global Cyberlympics, is bringing the global movement and trend to India through Code Uncode.

About EC-Council 
EC-Council (International Council of E-Commerce Consultants) is one of the world’s largest certification bodies for Information Security professionals. EC-Council is a member-based organization that certifies individuals in various information security and e-business skills. It has been certified by American National Standards Institute to meet its ANSI 17024 standard. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs, and as well as many others programs. These programs are offered in over 92 countries and over have trained over 120,000 & certified more than 60,000 security professionals through a training network of over 500 training partners globally.

Individuals who have achieved EC-Council certifications include those from some of the finest organizations around the world such as the US Army, the FBI, Microsoft, IBM and the United Nations.

About Zen Technologies
Zen Technologies was established in 2009. The Company has been involved in the field of training students and professionals in the field of IT Security and niche courses in Algorithm Trading.


EC-Council Building the Cyber Army; Organizes Seminar on Ethical Hacking at Thapar University

Over 200 students from Thapar University attend a two day seminar on ‘Ethical Hacking and its Essentials’

Mumbai, August 29th 2013: EC-Council, the world’s leading provider of certifications and training in the information security domain organized a two day educational seminar on Aug 30th and 31st at Thapar University to educate and engage with students on Ethical Hacking and its essentials in the cyber security domain, a sector that is set to grow exponentially and offer lucrative job opportunities.

The GOI recently released the ‘National Cyber Security Policy 2013’, highlighting the fact that the security of cyber space is not an optional issue but an imperative need. The policy has laid emphasis on creating a workforce of 5,00,000 professionals skilled in cyber security in the next five years through capacity building, skill development and training.

Mr. Akash Agarwal, Country Manager, EC-Council India said, “By training and educating the future cyber security professionals while adhering to global requirements and standards, we wish to create an army of cyber warriors to tackle the challenges of tomorrow. India is the software capital of the world and definitely has a vast talent pool which can be trained and educated on the nuances of the fast growing need for the highly skilled cyber security experts.”
EC-Council recently organized another seminar in Mumbai on “How to Build a successful career in Cybersecurity using Penetration Testing and Computer Forensics” which was attended by over 300 students from St. Xaviers College and Ramnarain Ruia College. These series of Seminars will help not only educate the youth on the importance of cybersecurity but also provide them with solutions and opportunities to better their existing skills.
It is essential to train the professionals of tomorrow and ensure that they are qualified to tap the opportunities and tackle the challenges that will be awaiting them.  Job opportunities in the market range from Penetration Testers and Network Security Specialists to Website Administrators and Security Analysts.

To provide cyber security training and to fill the gap for professionals working in this field, EC-Council has initiated Code-Uncode, a nationwide competition for students, professionals, colleges and corporates. The competition aims to bring together existing and aspiring security enthusiasts across all fields of the infosec world from the Corporate and government bodies to academic institutions. The preliminary round was completed successfully a few weeks back.

EC-Council, backed with their vast experience in global competitions and conferences like Hacker Halted, TakeDownCon and Global Cyberlympics, is bringing the global trend to India through Code Uncode.

About EC-Council  
EC-Council (International Council of E-Commerce Consultants) is one of the world’s largest certification bodies for Information Security professionals. EC-Council is a member-based organization that certifies individuals in information security and e-business skills. It has been certified by the American National Standards Institute for meeting its ANSI 17024 standard. It is the owner and creator of the world famous Certified Ethical Hacker (CEH), Computer Hacking Forensics Investigator (CHFI) and EC-Council Certified Security Analyst (ECSA)/License Penetration Tester (LPT) programs along with a multitude of other programs. These programs are offered in over 92 countries and have trained over 120,000 & certified more than 60,000 security professionals through a global training network of over 500 training partners.
Individuals who have achieved EC-Council certifications include those from some of the finest organizations around the world such as the US Army, the FBI, Microsoft, IBM and the United Nations.