Search This Blog

Showing posts with label Cyber Security Privacy Foundation. Show all posts

Lackadaisical VAPT leads to big hole in Cyber Security



Vulnerability analysis and penetration testing (VAPT) is the bedrock for cyber security. How can one fix problems if one does not know what the problem is? Ignorance is no bliss when it comes to cyber security - one estimate of annual cost of cyber crime to global economy ranges from US $ 375 billion – US $ 575 billion. That’s a lot of money.

Pity then that many companies undertake VAPT as an eye wash for ISO 270001, to secure for themselves a compliance certificate. IT vendors/IT Consultants are usually tasked with undertaking VAPT, and these firms in turn outsource it further to so called specialists, sometimes without the clients’ knowledge.

Vulnerability testing is deeply technical issue. When one is faced with situations such as Advanced Persistent Threats (APT) and 0 Day Vulnerabilities, it needs to be borne in mind that businesses are up against highly skilled and creative hackers. Such attackers typically belong to organized criminal groups, mafia groups, Black Hat hacker groups or state backed groups.

APT attack happens when committed adversaries persistently utilize advanced technologies to compromise targets. Extremely hazardous 0 Day exploits (vulnerabilities found by hackers and never reported to security vendors) are found in Operating Systems, Application Software, Browsers’ like Chrome, Firefox, Antivirus Software, Firewall, and Internal Application Software. On an average, twenty 0 Day vulnerabilities exist in any given server. O Days have the greatest amount of success and damage rates and least probability of detection by firewalls/IDS/AV's etc.

The lack of seriousness with respect to VAPT also extends to the “purchasers” of such services. Businesses are not fully equipped to understand the complexities of VAPT. One has heard of instances where a firm sought to dictate the nature of a Test, the date, time and even the server and port/s to be tested. All this fussiness may be relevant when it comes to a haircut, but not in the context of a VAPT. Hackers, of course, are famous for not following any rules whatsoever and thumbing their noses even at hyperactive cyber defenses, leave alone amateurish ones.

The crux of the whole problem appears to lack of senior management or CISO involvement in a VAPT or a similar exercise. This is a matter that cannot be left to systems administrators or developers who are better equipped to remediate the security issues than discovering vulnerabilities.

The lack of senior management attention is often seen in the nature of testing firms recruited to undertake the assignment. Inferior manpower (tool runners abound), no post exploitation skills, - no access to ultra critical 0 Day exploits, no APT “War Gaming” skills, no real white hat hackers on board with practical experience (only people with some theoretical knowledge), limited skills on network analysis – these are some of the downsides of testing firms normally used.

Businesses need to address such issues by ensuring senior level, even board level involvement in cyber security. Further their cyber security vendor selection process needs to be more precise and demanding. Vendors need to have very deep domain knowledge, years of penetration testing experience, sophisticated tools, access of hundreds of 0 Day exploits, and staffed by established and well networked bug bounty hunters and white hat hackers.

Author:
J Prasanna
Founder, Cyber Security & Privacy Foundation

CyberTech 2014, International exhibition & conference for Cyber solutions


CyberTech 2014 (cybertechisrael.com) is one of the best International Cyber security conference going to happen in Israel which is Inaugurated by Israeli Prime Minister, Mr.Benjamin Netanyahu.

Leading multi-national companies, over a hundred start-ups, private and corporate investors, experts and many more are going to participate in this event.

The keynote speakers of the event are leading cyber security experts including Chairman and CEO of Kaspersky lab 'Eugene Kaspersky', Head of the Israeli National Cyber Bureau 'Dr.Eviatar Matania',  Senior Vice President of Cisco Systems 'Bryan Palma'.

Cyber Security Privacy Foundation(CSPF) is interested to take a delegation of corporate/companies to Israel.

Indian companies who would like to tie up with Israeli hi-tech cyber start-ups can contact CSPF.  If you need any assistance in getting VISA to Israel for the conference, you can also contact CSPF.

Contact Details of CSPF: Founder@CySecurity.org


Larry Clinton addresses at an event held by CSPF and Anna University


Mr. Larry Clinton, President & CEO Internet Security Alliance gave an informative speech at the recent event held by the Cyber Security Privacy Foundation(CSPF) and Anna University.

The event was inaugurated by Mr. Ramamurthy, Chairman, Cyber Security and Privacy Foundation and followed by Dr. Chellappan, Dean Anna University.


Speaking on "The Evolving Cyber Threats, and How to Address Them", Larry Clinton said that Chief Financial Officier(CFO) in 95% of companies are not directly involved in information security.

He suggested CFOs to "appoint an enterprise wide cyber risk team and Develop an enterprise wide cyber risk management plan" in order to improve information security of an organization.


Clinton also appreciates CSPF's Tech Core which is headed by J Prasanna for pre-empting cyber threats.


"First of all, let me thank the Cyber Security and Privacy Foundation for all your efforts in putting together the interactive session with Mr. Larry Clinton at Anna University on November 21." In an email sent to CSPF, US Consulate said. "My colleagues and I were very pleased with the level of participation and engagement"


"Mr. Clinton was particularly happy to have had such a well-informed audience and their enthusiastic participation in the discussions."