Saturday, February 12, 2011

DSCI-KPMG Survey on State of Data Security and Privacy in the Indian Banking Industry

Posting the DSCI (Data Security Council Of India) announcement on this.

DSCI, on February 4, 2011, released the results of “DSCI-KPMG Survey on State of Data Security and Privacy in the Indian Banking Industry”. The Survey Report, released by Shri. G. Gopalakrishna, Executive Director, Reserve Bank of India, at an event held in Mumbai, aims to establish a ground for dealing with the security and privacy concerns and offers insight to Banking industry in better equipping themselves for data protection.

The need for such a survey and the understanding of security issues at the banks was highlighted with the enthusiastic response which the survey received from the public, private and international Banks.

Some of the key findings of the Survey Report include:

· Customer awareness on information security along with insecure customer end points is one of the most significant challenges faced by the banks

· External threats and the increasing usage of online & mobile channels along with regulatory requirements are driving banks in India to invest in information security

· Managing security is more challenging in online banking and phone (IVR) banking as compared to other service delivery channels

· Banks drive inputs from international standards such as ISO 27001 to establish their security function

· Absence of collaboration and synergy between Security and Fraud Management functions leaves a significant gap in banks’ effort to curb financial frauds

Please follow the following link to access the full Survey Report

Friday, February 11, 2011

New NIST documents on Cloud Computing

NIST issued two new draft documents on cloud computing for public comment, including the first set of guidelines for managing security and privacy issues in cloud computing. The agency also has set up a new NIST Cloud Computing Collaboration site on the Web to enable two-way communication among the cloud community and NIST cloud research working groups.

Here are the two documents:

  1. NIST Definition of Cloud Computing (NIST Special Publication (SP) 800-145). SP 800-145 may be downloaded for review from here.
  2. Guidelines on Security and Privacy in Public Cloud Computing (SP 800-144) provides an overview of the security and privacy challenges for public cloud computing and presents recommendations that organizations should consider when outsourcing data, applications and infrastructure to a public cloud environment. These recommendations are divided into the following areas:
  • Governance
  • Compliance
  • Trust
  • Architecture
  • Identity & Access Management
  • Software Isolation
  • Data Protection
  • Availability
  • Incident Response

Public comments are requested on this publication as well. SP 800-144 may be downloaded for review from here.

To learn more on Cloud Computing, risks and vendor selection, head over to my three part essay, here, here and here.

SANS India 2011 in Bangalore

SANS is coming back to India from 14-19 February with three courses. Here is the course line up:

I will be attending the FOR610 (GREM) course.

1. SEC 401: Security Essentials Bootcamp Style (GSEC) taught by SANS Certified Instructor Jim Herbeck

2. SEC 560: Network Penetration Testing and Ethical Hacking (GPEN) taught by SANS Certified Instructor, Bryce Galbraith

3. FOR 610: Reverse-Engineering Malware: Malware Analysis Tools and Techniques (GREM) taught by SANS Certified Instructor Hal Pomeranz

Details are here.

Saturday, February 5, 2011

Mandiant's M-Trends report is out.

Mandiant released its annual M-Trends report detailing APT related incidents that they handled in 2011. The report provides first-hand accounts of real intrusions that illustrate trends in attack methodologies; technology used to accomplish the attacks; and the types of data that have been stolen.

If you are not familiar with what APT is, refer my earlier blog post on APT.

The report is available here.