Showing posts with label complaince. Show all posts

Friday, 17 August 2018

From Tech to Business-Driven Security

FROM TECH TO BUSINESS-DRIVEN SECURITY

INTRODUCTION:

In today’s digital world, IT security strategy must be transformed into Business-driven security strategy to prevent failure of vital digital transformation projects which will become irrelevant to the business model of an organisation.

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

Information Security Practitioners like security analyst and consultants of an organisation should look at the information security from a business perspective to enforce proper risk management so that it will be useful to prevent the data loss or assets that are most important to the organisation during the time of a threat.

For enforcing the business-driven model of Information Security in an organisation, it is essential to understand and assess the risks for the organisation in real time and mitigating the risk by determining the incidents conclusively by a skilled incident management professional team. In short, it is critical to have a “Risk Management in an Organization” than a regular threat management team.

To create a compelling business-driven security model, a business organisation must identify all of its assets, where they are placed, which assets are more vulnerable to threats and attacks etc., which will help them to categorize their holdings for the useful incident and risk management and mitigation of threats.

WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :

The need for business-driven security arises, mainly due to the evolving threats from various aspects of technology which includes the latest trends like the Internet of Things (IoT), Artificial Intelligence (AI), Machine Learning etc., As these new technologies evolve, the attack vector for these technologies also evolves every day.

For example, IoT devices may have vulnerabilities in firmware level and application level, which an attacker can exploit to take over the IoT device’s control, which gradually increases the threat for the owning organisation.

Another primary reason for the business-driven security model is “The Gap of Grief”. The Gap of Grief is a concept used to refer to void in understanding of how the security vulnerabilities can cause financial and reputation loss problems in an organisation. A significant part of this problem comes with the fact that the CISOs and other information security staffs in general like Penetration testers and consultants failing to translate the challenges and risks in assessing a threat. In cyber-security terms, the problems created by not effectively being able to report security issues to the appropriate people at the right time causes the gap of grief.

Let’s consider an example scenario: The CEO tours television and radio studios in a bid to dispel negative press and to assure the public that their data is safe with the company. This often backfires when it becomes apparent that the CEO has very little knowledge of their company’s cyber-security operations, let alone how the breach occurred or how many customers were affected. This causes problems to the organisation, and the gap occurs.

ASPECTS OF BUSINESS DRIVEN MODEL:

The key element of the business-driven security model is to focus more on detection and assessing the threats then protection as it is a complicated job to carry out. Then there should be a valid defence strategy specifically for all the assets and their vulnerabilities. This defence strategy should have a definite cost to benefit values assigned.

Another aspect of the business-driven security model is, it should include the required and skilled people, process and technology (Tools and services) for carrying out risk management process.

Organizations need to find out the security gaps between the current security level of their application and infrastructure and where they want to be for an ideal security level for effective risk management. This gap analysis process is one of the key aspects to create a business-driven security model for the organisation. This gap analysis process helps out the security staffs to work on patching the gaps and vulnerabilities effectively.

Management should come up with a proper rank level for all their assets and applications based on the key values of assets. Then it will be easy for the security people to carry out gap analysis on a regular basis based on the risk ratings of assets and applications.

CONCLUSION:

The business-driven security model is more useful for an organisation, not just regarding cost but also regarding proper assessment of threats and risk. If implemented incorrect way, it will become an essential security model to help security people mitigate the threats and security breaches.Through a business-driven approach, BriskInfosec productively orchestrates business driven security with more agile and secure way. Since it relies heavily on the risk levels for an organisation, it will help any organisation to save a lot of money and time which they were spending on the incident and threat management.

Just Talk and Hire us to create Business Driven security solutions for your orgnization

Email – contact@briskinfosec.com

REFERENCES:

AUTHOR :

Dawood Ansar

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd

Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/

Thursday, 5 July 2018

RISK MANAGEMENT: HOW TO CALCULATE RISK?

INTRODUCTION :

Risk Assessment and Risk Management is done with the calculation of severity and likelihood. Severity is considered based on the level of the disaster which will impact in the future of the organisation. Likelihood is deemed to be found on the way risk which will probably change the organisation. The Risk calculation by analysing how the impact occurred and how it can be mitigated based on the calculation.

It is also a meaningful way to protect organization business, at the same time acquiesce with the law and procedure. It helps to focus on the risks that matters in the organization. In many scenarios, direct measures can be summed up to control risks, which means smooth, cheap and effective measures to ensure your most valuable asset.

In Risk assessment and risk management process, we are going to discuss about the how process is done. Here are the below contents.

```
Identify the hazards
```
```
How the risk has happened
```
```
Evaluate the risks
```
```
Scale for the Likelihood
```
```
Scale for the Consequence
```
```
Treating the risk occurred
```
```
Review Assessment
```
```
Conclusion
```

STEP 1 – IDENTIFY THE HAZARDS:

The risk is vital to understand the context in which it exists. It needs to define the relationship between organization and environment that functions in, so that outline of the organization facing risk is evident.

Look at location, exposure to data;
Interrogation with the contiguous people;
To check any recent incidents.

STEP 2 – HOW THE RISK HAS HAPPENED:

This step denotes that to identify the likelihood and consequence of it are occurring. The risk can be of any type such as physical, ethical, financial.

The physical risks are those involving the damage to the organizational assets such the infrastructure equipment, injuries for the employees and also if the condition of the weather is terrible which affects routine services.

The Ethical risks involve potential harm to the reputation and services of the organization. The trust of the organization gets degraded when the data breach or leakage has occurred.

The Financial risks which involve the loss of organizational assets. Any theft of financial breach occurred on the internet.

STEP 3 – EVALUATE THE RISKS:

Risk evaluation denotes the analysing the likelihood and consequences of the threat which is pointed and making the decision of risk factors were potentially have an effect and needed to be made a priority. The level of the risk is considered based on the likelihood and consequence of the impact.

The Evaluation is done by comparing the impact of the risk found during the analysis process with risk criteria previously impacted by the organization.

The criteria for evaluating the risks

SCALE FOR THE LIKELIHOOD:

Severity	Description
5	Certain: It will probably occur or often impact several times per year
4	Likely: Likely to arise once per year
3	Possible: It will occur five years once the period
2	Unlikely: Disaster occurred once in 10+ years
1	Rare: Barley occurs

SCALE FOR THE CONSEQUENCE:

Severity	Description
5	Catastrophic
4	Major
3	Moderate
2	Minor
1	Negligible

Calculation of Risk priority

Risk=Likelihood * Impact

	IMPACT
LIKELIHOOD		1	2	3	4	5
	1	Very Low	Very Low	Low	Low	Medium
	2	Very Low	Low	Medium	Medium	High
	3	Low	Medium	Medium	High	High
	4	Medium	Medium	High	High	Very High
	5	High	High	Very High	Very High	Very High

STEP 4 – TREATING THE RISK OCCURRED:

Risk Treatment identifies the range of options for treating the risk, preparing the risk treatment plans and applying those plans. Options for treatment need to be proportion to the significance of the risk.

According to the standard, there are various options existed:

Accepting the risk
Avoiding the risk
Reducing the risk
Transferring the risk
Retaining the risk
Financing the risk

STEP 5 – REVIEW ASSESSMENT

Reviewing is an ongoing part of risk management which is the integral step of the process. It is also an essential part of all business functions which need to monitor and treated. Monitoring and reviewing the risk is to make sure that the information which generated by the risk management process is logged, used and maintained.

CONCLUSION :

The Risk Assessment and Mangement procedure above should be implemented by organisations to secure the work activities. However, some other methods contain activities, where the work procedure covers employees undertaking work experience within the organisation. The risk management process which need be implemented in the operations and governance of every organization. However, no ‘one size fits all’ way of embedding the risk management. Preferably the process must be enhanced to fit the size, complexity, industry competition and environmental uncertainty faced by the organization.

Briskinfosec offers a comprehensive approach to manage the risk and compliance in the organization more effectively. Our customized solution meets the policies, procedure, technologies and competencies in several stream of work across the risk management categories of governance, process and technology.

AUTHOR :

Dharmesh B

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd.,

https://www.linkedin.com/in/dharmeshbaskaran/

Saturday, 2 June 2018

From Tech to Business-Driven Security

FROM TECH TO BUSINESS-DRIVEN SECURITY

INTRODUCTION:

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :

ASPECTS OF BUSINESS DRIVEN MODEL:

Another aspect of the business-driven security model is, it should include the required and skilled people, process and technology (Tools and services) for carrying out risk management process.

CONCLUSION:

Just Talk and Hire us to create Business Driven security solutions for your orgnization

Email – contact@briskinfosec.com

REFERENCES:

AUTHOR :

Dawood Ansar

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd

Find me @https://www.linkedin.com/in/dawood-ansar-29403213b/

Thursday, 19 April 2018

PCI-DSS VS ISO 27001 STANDARDS

INTRODUCTION:

PCI-DSS and ISO 27001 are organized in sets of requirements for the cardholder data process. PCI-DSS has 12 sets of elements; there are about 250 controls based on securing credit card information. In ISO 27001, there are 11 sets of elements with 114 controls based on improving an ISMS, planning, running, implementing, monitoring. In this article, I’m going to discuss and examines the interoperability of PCI-DSS and ISO/IEC 27001 and also some of the pros and cons of the PCI-DSS and ISO/IEC 27001 standards.

PCI-DSS STANDARD:

PCI-DSS is a standard of data security for the credit card organizations, and it also applies only to companies that have the process, store, or transmit credit card data. Compliances with the standard are mandatory, though depending on the full range of cards processed. PCI-DSS is a card data security standard developed by a council consisting of Visa, MasterCard, American Express, Discover and JCB to protect the payment card and cardholder’s sensitive information processed by organizations.

ISO 27001 STANDARD:

ISO 27001 is a standard that includes seven main titles within the scope, such as organization, leadership, planning, support, operation, performance evaluation and improvement. It’s a worldwide recognition, which lays down the requirements for the establishment of an ISMS. It applies to any organization.

HIGH-LEVEL MAPPING OF PCI AND ISO27001
PCI-DSS REQUIREMENTS	ISO27001 CLAUSE
1. Install and maintain a firewall configuration to protect cardholder data.	A-12: Operations Security A-13: Communications Security
2. Do not use vendor-supplied defaults for system passwords and other security parameters.	A-12: Operations Security A-13: Communications Security
3. Protect stored cardholder data.	A-12: Operations Security A-13: Communications Security
4. Encrypt transmission of cardholder data across open, public networks.	A-14: System acquisition, development and maintenance.
5. Protect all systems against malware and regularly update antivirus software or programs.	A-14: System acquisition, development and maintenance.
6. Develop and maintain secure systems and applications.	A-14: System acquisition, development and maintenance.
7. Restrict access to cardholder data by business need to know	A-12: Operations Security A-13: Communications Security
8. Identify and authenticate access to system components.	A-12: Operations Security A-13: Communications Security
9. Restrict physical access to cardholder data.	A-11: Physical and environmental security
10. Track and monitor all access to network resources and cardholder data.	A-12: Operations Security A-13: Communications Security
11. Regularly test security systems and process.	A-14: System acquisition, development and maintenance A-6: Organization of Information security A-18: Compliance
12. Maintain a policy that addresses information security for all personnel.	A-5: Information security policies

COMPARISON OF PCI-DSS AND ISO 27001

It is recommended and required that both PCI-DSS and ISO27001 provides better solutions for risk management to Card data Industry and other organizations. The ISO 27001 is better than that of PCI-DSS standards as all the controls have been written at a high level. There are compliance levels in PCI-DSS to measure the maturity level of the company, but no compliance levels exist in ISO 27001. “The organizations have to determine the boundaries and applicability of the information security management system to establish its scope.” When comparing the scope of the two standards, scope selection in ISO/IEC 27001 depends on the company; however, the scope is exactly the credit cardholder information in PCI-DSS.

The controls in ISO 27001 are a suggestion to all the organizations, and also it is important to note that the controls in PCI-DSS standards are mandatory to payment and Cardholder data organizations.

Were the ISO 27001 contains more requirements than PCI-DSS, it is easier to comply with the ISO 27001 standard to the organizations.

According to the costs, establishing a partial (ISMS) audit and PDCA cycle which cost more to the organization as it a mandatory.

In an organization, the re certification auditing of ISO 27001 is performed in every three-year cycles, and internal scope auditing is conducted. There are also surveillance audits that are done at least once. In every PCI-DSS auditing, there are four network scanning audits and a Level 1 onsite audit.

MAPPING OF PCI-DSS AND ISO 27001
PARAMETER	ISO27001	PCI-DSS
Creator	ISO	PCI Council
Flexibility	High	Low
Scope	Depends on the company	Credit cardholders information
Controls applied	Flexible	Tight
Controls	High-Level	Low-Level
Compliance	Easy	Hard
Number of Controls	114	224
Auditing	Three-year cycles and a small-scope audit performed every year	Four network scanning audits and an onsite audit for level 1
Certification	Maybe given to all companies	Any companies that provide information security for critical paying processes
Compliance level	Does not exist	Exists

CONCLUSION:

PCI-DSS is a standard which handles Security for Cardholder data, whereas ISO 27001 is a specified to the Information Security and Management of the Organization. Mapping of PCI-DSS and ISO/IEC 27001 standards is optional information for managers who are assigned with ensuring to either standard in their organizations. It is recommended that PCI-DSS and ISO/IEC 27001 must be combined to give a better solution to risk mitigation and secure the organization of Cardholder data.

REFERENCE:

ISACA: https://www.isaca.org/

PCI-DSS: https://www.pcisecuritystandards.org/

ISO STANDARDS: https://www.iso.org/standards.html

AUTHOR

Dharmesh B

Security Engineer

Briskinfosec Technology and Consulting Pvt Ltd.,

https://www.linkedin.com/in/dharmeshbaskaran/

Thursday, 12 April 2018

GDPR (GENERAL DATA PROTECTION REGULATION)

GDPR is the General Data Protection Regulation, adopted on April 27, 2016, and it will be valid from May 25, 2018. The GDPR replaces the EU’s Data Protection Directive, and this method is mainly used by European Union member’s to protect their Data.GDPR is primarily used to control the Data Breach, Data portability on EU member’s and followed by this other countries are started to develop GDPR for their Data Protection but this method can also be used to store the personal data, or other data’s comes under the national security organisations.

DATA’S PROTECT UNDER GDPR:

Necessary Identity information such as name, address and ID numbers
Web Data such as location. IP address and cookie data
Health and generic Data
Biometric Data
Political Opinion etc.

GDPR OVERALL ARCHITECTURE:

Here the overall architecture diagram of the GDPR is described, and it starts from the significant executive team followed by legal advisories (adopted by a required organisation to cross-check the process) and to the IT and software development of mainly follows. GDPR under CIA triad is called Confidentiality, Integrity and Availability to protect their required data.The outcome of the products is checked by the Product Development Team.Finally, CISO and information security follows data privacy method to process the data in a secured manner and later it gets process by the data analyst and reaches the market that’s the overall process of the GDPR takes place and refer the below link to follow the GDPR checklist for better data protection

Reference Link: https://www.taylorwessing.com/globaldatahub/article-gdpr-audit-checklist.html

GDPR IN CYBERSECURITY:

Most of the Cybersecurity Organization’s falls under the network, endpoint protections and they also prevent us from the unauthorised access, threat management, and Vulnerability assessment etc. and cybersecurity in GDPR takes place by its method called data encryption, and data pseudonymization. Data encryption is the process that collects the whole data and changes it to the code and stores it in an encrypted way. unless you entered the critical value, you could not access the data and data pseudonymization is the method to add additional data subject to your old data ’s, data masking for better security or hashing can be done here to protect your data’s

Data breaches in cybersecurity organisations can be controlled by GDPR and So, consider investing in Cyber Essentials, a certification scheme backed by the British government to help organisations to prevent online attacks and hacking. This will assist with compliance with the GDPR, as well as improving the security of your company, customers and partners.

Sans generates a compliance report for GDPR which has to be followed by every organisation to secure your data, and by this, you can also trap the path of where mainly data breaches take place

https://www.sans.org/reading-room/whitepapers/analyst/preparing-compliance-general-data-protection-regulation-gdpr-technology-guide-security-practitioners-37667

DETECT AND BLOCK THREATS IN ATTACK CYCLE:

Security tools used in the cybersecurity organisation is used to test your existing vulnerability and risks, and here by using GDPR you can set some conditions to protect your data, and they are by the below techniques as follows.

FIRST LOOK AT EXPOSED PRIVILEGED ACCOUNTS:

When unconstrained delegation has been enabled it leads an attacker to connect to your machine and by this ticket granting ticket will be stored and it leads to compromise and control a domain controller

IDENTIFY CONTROLS THAT CAN BYPASS PRIVILEGED ACCOUNT SECURITY:

How many of you know that all your privileged accounts are safe? First, you have to check for every privileged account and secure the required account with some password or with some encryption methods, and by then it will be difficult for an attacker to bypass your account.

IDENTIFY AUTHENTICATION FIELDS TO YOUR ACCOUNT:

Check for the authentication field in your account that can be easily bypassed, e.g. Kerberos authentication or another authentication process. These flaws attacker can easily access your account and can gather any information’s and also set encryption for your account to protect your data, and by this, it can also secure you from unauthorised access.

GDPR IN PENETRATION TESTING:

The Overall Cybersecurity breach of 2017 was about 61% holds personal data on their customers electronically, and about 46% of all UK business identified at least one cybersecurity breach or attack in the past 12 months. GDPR in CREST certificate launched for network infrastructure, and here by this, an attack can process the cardholder environment.

https://information.rapid7.com/gdpr-toolkit-2.html

Refer the above link to process GDPR toolkit guides to follow for every organisation to prepare GDPR data protection

OVERALL STATISTICS OF GDPR:

C GDPR is the official course offered by the IT governance and want to get certified in GDPR refer the link as follows.

https://www.itgovernance.co.uk/shop/product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course

CONCLUSION:

I’m Sure that we have discussed something about GDPR data protection and also about its significant role in cybersecurity and follow the GDPR checklist to secure data protection for your organisation “are you waiting for the better data protection and we are also waiting for it.”

Reference Links:

https://www.itgovernance.co.uk/shop/product/certified-eu-general-data-protection-regulation-practitioner-gdpr-training-course

https://information.rapid7.com/gdpr-toolkit-2.html

AUTHOR

RamKumar

Security Engineer

BriskInfosec Technolagy And consulting PVT LTD

follow me @https://www.linkedin.com/in/ram-kumar-3439b511a/

Friday, 17 August 2018

From Tech to Business-Driven Security

INTRODUCTION:

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :

ASPECTS OF BUSINESS DRIVEN MODEL:

CONCLUSION:

REFERENCES:

AUTHOR :

Thursday, 5 July 2018

RISK MANAGEMENT: HOW TO CALCULATE RISK?

INTRODUCTION :

STEP 1 – IDENTIFY THE HAZARDS:

STEP 2 – HOW THE RISK HAS HAPPENED:

STEP 3 – EVALUATE THE RISKS:

SCALE FOR THE LIKELIHOOD:

SCALE FOR THE CONSEQUENCE:

STEP 4 – TREATING THE RISK OCCURRED:

STEP 5 – REVIEW ASSESSMENT

CONCLUSION :

AUTHOR :

Saturday, 2 June 2018

From Tech to Business-Driven Security

INTRODUCTION:

TRANSFORMATION TO BUSINESS-DRIVEN SECURITY:

WHY BUSINESS DRIVEN SECURITY MODEL : ITS IMPORTANCE :

ASPECTS OF BUSINESS DRIVEN MODEL:

CONCLUSION:

REFERENCES:

AUTHOR :

Thursday, 19 April 2018

PCI-DSS VS ISO 27001 STANDARDS

INTRODUCTION:

PCI-DSS STANDARD:

ISO 27001 STANDARD:

COMPARISON OF PCI-DSS AND ISO 27001

CONCLUSION:

REFERENCE:

AUTHOR

Thursday, 12 April 2018

GDPR (GENERAL DATA PROTECTION REGULATION)

DATA’S PROTECT UNDER GDPR:

GDPR OVERALL ARCHITECTURE:

GDPR IN CYBERSECURITY:

DETECT AND BLOCK THREATS IN ATTACK CYCLE:

FIRST LOOK AT EXPOSED PRIVILEGED ACCOUNTS:

IDENTIFY CONTROLS THAT CAN BYPASS PRIVILEGED ACCOUNT SECURITY:

IDENTIFY AUTHENTICATION FIELDS TO YOUR ACCOUNT:

GDPR IN PENETRATION TESTING:

OVERALL STATISTICS OF GDPR:

CONCLUSION:

AUTHOR

Subscribe To