Wednesday, April 20, 2011

Underground Economies - McAfee and SAIC report

A new report labeled "Underground Economies", where McAfee and SAIC collaborated to investigate perceptions around intellectual capital of companies has been published. The report surveyed over 1,000 senior IT decision makers across the world, getting their opinion on where they thought their valuable data was, their attitude to outsourcing control of it, and questions around how it was protected and the risk of it being "misplaced".

Some of the highlights of the report are:

  • Employees' adherence (or lack of) to security procedures is considered to be a greater challenge to organizations' information security than the fact that there are multiple systems within the organization, or the insecurity of supply chain partner systems
  • Around half of organizations are looking to increase their IT security spending in regard to hardware upgrades, software upgrades and external hosting of data and other services
  • More than a quarter of organizations assess the threats or risks posed to their data twice a year or less often
  • Securing mobile devices continues to pose a challenge to businesses
  • Cloud based services may represent a new target not only for data theft, but also for cheap infrastructure or resources within criminal enterprises
  • One in ten organizations will only report breaches/losses that they are legally obliged to, and no more

Some emerging trends that are changing the ways companies are defying sophisticated attacks and insider leaks are:

  • Deep Packet Inspection
  • Human Behavior Based Network Security
  • Insider Threat Tools
  • Advanced Forensics
  • Advanced Malware Analysis

The complete report is here. (Registration required)

Public comments requested

This is an opportunity for information security practitioners to participate in policy formulation.

National Cyber Security Policy - India

Department of Information Technology (DIT), Ministry of Communications & IT, has prepared a draft discussion document on ‘National Cyber Security Policy’. The discussion document is prepared for public consultation in order to facilitate creation of secure computing environment and enable adequate trust and confidence in electronic transactions and also to guide stake holders’ actions for protection of cyber space.

The document has been posted on DIT web site for seeking public comments and can be downloaded from here.

Comments/feedback on this document should reach by 15th May 2011 to CERT-In, on email id ‘grai at’

NIST document SP 800-53

NIST is updating the most widely refered document, SP 800-53 and this is your chance provide any inputs on this very important document. Many of the state, federal and country specific regulations refer this document or modify the document along with this.

The Revision 3 is available from the NIST web site here.
You can send your comments to NIST by emailing them at sec-cert at by April 29, 2011.

Sunday, April 10, 2011

Breaches and attack methods

In the previous post I listed some of the high profile attacks and breaches, let's look at some of the attack methods used in some of these and other recent attacks. This information was taken from the Web Hacking Incident Database 


SQL injection continues to be at the top and over the last year or so, we have started seeing more denial of service type of attacks

Top Application Weaknesses

Input validation is the major weakness we see in the applications. Proper input validation is one of the major checks prescribed by many standards such as OWASP and SANS.

Top Outcomes

Leakage of information is a direct outcome of the SQL injection and in many cases it results in monitory loss and loss of reputation and business. The other major outcome is the downtime, which directly impacts the business bottom-line and it is something the business person will understand.

This is a nice way to categorize the incidents and organizations should come up with a list of incidents within their organization and present it to the senior management and Board as part of the metrics to show them the impact.

Saturday, April 9, 2011

March - The month of attacks and breaches

March was full of major attacks and breaches, here are some of them:

These attacks show that adversaries continue to find ways to exploit systems, applications and networks and organizations need to rethink their strategies to defend against it. These attacks also show that the adversaries are continuing to look to extract sensitive information or disrupt the systems for their own gain.

Many organizations suddenly started to realize that even they have some important data that is valuable to the attackers. They now realize that how easy it is for the attackers to take the data. They now realize that their investment in information security (both process and people wise) is just not enough. They now realize that the management commitment to information security is not enough. They now realize that they need to do more.

Organizations should go back to basic and start with identifying critical data, where it is stored, who owns them, who has access, what are the risks, what security mechanisms are in place and how to improve that. Organizations should concentrate more on preventive techniques and implement strong monitoring mechanisms as additional controls.

Organizations must also realize that if we don’t start doing it now, we will be forced to do it through more regulations by the government and other entities.

Ok, so that was in March, how does April look? Not good, there are two reports of high profile intrusions already.