securambling .... Rambling comments / reactions about Information Security

Data – The Ultimate Asset

2012-01-16T10:46:00.001-05:00

Traditionally, business has looked at land, plant, building, machinery as assets that need to be protected and security thoughts have focused on fortification of the perimeter surrounding the assets. Business was about manufacturing, trading, services and then came the technology age... and life changed. Or did it ?

Unfortunately, businesses transposed traditional experiences into the technology realm thinking that firewalls, anti virus solutions, IDS/IPS and server hardening will protect the perimeter and life will continue securely. Computers became assets, but not data and it has taken a long time for businesses to realize their folly. While mature organizations have taken adequately appropriate steps, a majority continue to give lip service to their data assets.

And therein lies the error of judgment – it is easier to buy a new plant than to make sense of a thousand files with unstructured data. Data is the ultimate asset in the technology age and the dependency on IT systems is growing exponentially. At work we grapple with more information (data) than we can handle and one hoards relevant and irrelevant data. The data which we work on grows into multiple copies across the organization and, whether one likes it or not, dependency on data is absolute.

Business organizations, or individuals, cannot survive in event of non availability or loss of data and must accept that data is their most critical asset. It is essential to enable data security and manage this asset throughout the lifecycle using technologies that enable real time proactive protection.

Data security is critical for business in the manner that

• Confidentiality is maintained and data is not exposed, leaked, lost, stolen or compromised
• Integrity of data is assured and users know that it is not tampered
• And it is available at all times for uninterrupted business operations

Technologies like Security Incident and Event Management (SIEM), Data Loss Prevention (DLP), Information Rights Management (IRM) when deployed together in any organization, provide a high level of protection to the data assets and the organization has control on their assets while inside and outside their infrastructure perimeter. The SIEM will help monitor the network and alert against malicious activity, the DLP system will lock down assets from inappropriate access or transmission and the IRM system will provide the ability to remotely control document access rights.

Forget DLP, think PLD - the Professional Loser of Data

2011-07-02T00:48:00.000-04:00

DLP is the technology of choice when it comes to data protection. However in the past few months we are seeing a plethora of incidents which show the presence of antibodies in the system.

Antibodies or bacteria in an environment protected by DLP are PLD's. A PLD is a Professional Loser of Data and I am not surprised that most of the PLDs are in Government. Or in high places.

Take for instance the Adarsh scam - no sooner they started talking of big names that files started disappearing. The files in the Navy, Mantralaya, Mumbai Municipal Corp and the Environment Ministry have all been lost.

Then we had the CWG scam and saw more PLD action. At first the government supported Mr K by allowing him to continue being tje boss and let loose his PLDs. Well these PLDs did a good job and we read abouyt missing files :)

Radia tapes and Wikileaks are great examples of big time PLDs at work.

The latest PLD operation, shockingly, or should I say expectedly, was the enabling the loss of files relating to the Gujarat riots by the Gujarat government. The PLDs did this four years back and it has come to light in an RTI application. And the Gujarat riots are still under investigation ! This just shows the professional capability of the people in power, the PLDs, who were likely to be screwed. The government cites data retention timeframe as the reason why the documents were destroyed saying all actions were taken strictly by the book.

Now, as I write about this, I wonder why the CBI did not discover the loss of documents when they were arresting Minister Shah. Or maybe one should not be surprised considering the recent incidents where they have thrown cases.

So, as information security professionals, when we go to plug data leaks and consider insider risks we usually think about disgruntled employee or accidents. It is time to think about the bacteria, the antibody - the PLD. And remember no DLP system will be able to detect or control this guy's action.

Oops I got hacked... no no raped.... no no no I got HAPED !

2011-05-06T15:48:00.000-04:00

In conversation with a friend we jokingly talked about the situation arising out of the hacking news and the gobbledy gook dished out as an explanation by the hackee CEO.

Having a drink later, I had an Eureka moment and conceived the theory of Haped.

Haped, my friends, is a new cyber term for being hacked - the reason why it is "haped" is because the site (or organization) has been raped.

Once haped, life is never the same. Your hidden fruit has been tasted and a million explanations will not bring back your innocence, your original configuration, your OEM feel, or your default settings... that virgin state. It's like the crack in a mirror which is always there when you are looking at yourself and you will keep telling the world how the hape did not disclose the holes .

The Theory of Hape (abridged):

   Every system or technology environment is built with known or unknown holes all over waiting to be penetrated an exploited.
   After a hape, weak controls and dirty data is exposed to the world and management has to run around trying to save their reputation, jobs and more.
   Hape is inevitable if one thinks that having devices, AV and certifications means total security ! Anyone living in such a fool's paradise must be prepared with red faced excuses followed by ulcers, resignations and silly accusations aimed at all and sundry.

Corollary 1:
When buying security services with an L-1 mentality you are bound to get the feeling of The Emperor's New Clothes (http://en.wikipedia.org/wiki/The_Emperor's_New_Clothes) - sooner or later you will be hapee (no pun intended).

Corollary 2:
If haped, talk and walk straight. Jalebi (Gobbledy gook) stories drive away sympathy or help and bring ridicule.

Explanations:
HAPE: a cyberworld term coined to mean a site or system that has been hacked. It is a combination of the words hacked and raped which (sort of) mean the same thing in their respective worlds.

THE EMPEROR'S NEW CLOTHES: A story about an egoistic king believes he was wearing a robe that was invisible to the lower class whereas he wasn't wearing anything.

MAJOR OR MINOR HAPE: Small incidents like a Website defacement, iframe attack, or a large scale incident like a DOS attack, data theft etc.

You got breached ... as bad as being forced into losing your V

An arrow or a bullet once fired...

2011-01-13T08:24:00.000-05:00

Being a lawyer is good business and when you are hurt it does not matter what you pay your lawyer or how much you pay !

I wonder how much did the lawyer tell his client beyond the FUD spiel and how can anyone think that things like arrows, bullets, emails can be recalled. How can any CEO think that a data breach can be just closed.

Consider these two news items - one in India and the other across the world in California.

- Ratan Tata has moved the Supreme Court asking that the Radia tapes be destroyed / recalled etc and that a restraint be put on them. It is a violation of his privacy and more.

- Sony asks for restraining order over PS3 hack - which was announced in December and allows users to run pirated games etc and bypass Sony's 'technical protection measures'

In both instances the litigants, with due respect, have failed to understand that any data in public domain just cannot be erased or recalled ! It is now a part of history and "history cannot be wished away".

Yes the lawyers will make good money and media has good copy.Strangely media does not make any big noises about the Radia tapes and we all know why . ,To come back to the main issue - so what should these (such) people do - just avoid going to court and sit tight ? No, Any incident is a learning and such lessons prove to be very very expensive. They are expensive (maybe) because someone overlooked the small risks or did not have proper controls in place.
It is a big bad world in the realm of corporate or national espionage - this is common knowledge. So, I would not expect the boss of India's largest corporate group to EVER speak on an open line. Like I do not expect the PM to have a prepaid connection ! Nor would I expect Sony to chase a chimera - it's is funny to see them ask a court to restrain someone to release a crack. How will the court enforce the order when there are multiple partners located in different countries ! And how will the court (or Sony) ascertain that there are no copies in the "wild".

Like I said... good billing for the lawyers.

Indian corporates have to realize that as they celebrate double digit growth figures and billion dollar M & A's it is necessary to accept the existence of current day threats and risks.
The powerful and successful move around with the feeling of invincibility or (all round) there is a general sense of complacency. Both lead to situations that one wishes never happened even in one's worst dream,

Proactive risk management and security is needed like never before. We have not yet learned to tame the beast in various applications and networks that are part of our daily life. One can look forward to bigger nightmare scenarios as mobile computing, cloud and handheld devices hit us.

Jaago (Wake up !) - how many more wake up calls are needed.

The Forrester Wave™: Information Security And Risk Consulting Services, Q3 2010 - excerpt

2010-10-19T10:05:00.000-04:00

The Forrester Wave™: Information Security And Risk Consulting Services, Q3 2010

EXECUTIVE SUMMARY

In Forrester's 75-criteria evaluation of information security and risk consulting service providers, we found that Deloitte led the pack because of its maniacal customer focus and deep technical expertise. PricewaterhouseCoopers (PwC), Ernst & Young, and Accenture are market leaders due to their security expertise, breadth of services, and global reach. KPMG provides excellent strategic work and boasts great client feedback. Verizon Business has been quickly catching up to the Leaders due to its focused strategy around security services and flawless execution. Wipro now offers a viable offshore alternative, while HP and IBM have renewed their focus on security consulting services by integrating security competencies from different parts of their business into a coherent unit. BT Global Services continues to provide pragmatic risk-focused consulting services across the globe, and AT&T's recent acquisition of VeriSign's security consulting practice will make it a formidable competitor in this space. Protiviti may not have the same breadth of services, but it delivers excellent customer-focused risk- and compliance-driven services.

The above is an excerpt quoted from the Forrester website.

Dangerous corporate relationships

2010-08-12T11:20:00.001-04:00

To all you guys ... be careful in how you interact with your female co-worker(s) when you :

- forward an email or an SMS to a female co-worker, or,

- you tell a joke in her presence which may be saucy / adult / plain xxx, or,

- you crack a joke about her, or,

- you compliment her on her looks / dress or you do not notice her

- you ignore her at the project party and dance with someone else

- you do not make a graceful exit from a relationship

- you touch her in a friendly manner like slapping her back etc

and so many other things one will normally do with a co-worker who becomes a friend after working day and late evenings on projects, sharing the joys and pains of deliveries, client relations, bad appraisals, un-approved expense statements, birthdays, resignations ... so much and more.

Oh yes make sure she is not three rungs below you in seniority (according to Idea Cellular it is inappropriate to get into a relationship with someone who is your junior .... ROTFL) - one or two may be okay ;-) else try another department at the same level and on the same floor.

This is what I know - women are stronger than men and men had better believe this and make life easier for themselves. So stop getting drunk or bashing them just to prove your masculinity. At the end you are the one who says sorry and cuddles up to her.

What I fail to understand - women are screaming for equality. They want to wear pants and walk with the guys. You can see liberated and empowered women everywhere - standing with their male friends (or alone) smoking outside buildings, leading presentations, rubbing shoulders in pubs and restaurants. Of course then they also head large corporations and fly planes and spaceships. Oh yes, I forgot the mixed parties at strip clubs - the guys and gals really bond there.

Any of the above mentioned scenarios is a potential 'sexual harassment' situation and if a woman cries wolf the man has no chance.

Why do women expect special treatment when there is the eternal quest to be considered equal.

Over the past few weeks we have seen a few high profile cases

- Mark Hurd resigned as CEO at HP

- Pradeep Shrivastava resigned as Chief Marketing Officer at idea Cellular

- David Davidoff resigned as CEO at Penguin International

And this blog came about inspired by the incident at Idea Cellular.

Yes there are lots of bad men and they do bad things, but then bad men and bad women do bad things to men too. How many men can claim sexual harassment and how many have done this. Harassment happens in the workplace and at home too... and we have wife beaters and husband-beaters too, except that there is no law to protect the men.

Let me clarify - I do not want to be considered or to sound sexist or attract the ire of womenfolk. My family has always had more women than men and I love them and have seen them cry, laugh and conquer.

And there are a number of women I have had the privilege of working with - women of substance and some without (just like the male co-workers). We have partied together, shared jokes, exchanged emails, shared happiness and sorrow, bitched about the boss and the appraisals and the expenses and more. When you spend 10 plus hours with a group of people for so many days of your life you are bound to bond. It happens everywhere !

So when should a woman say harassment and when not ? Maybe that is what we must see in the context of our ambitions to be men and then act like women. Maybe the parent at home must trust the daughter as much as the son and pass on that same thought process to the female.

What I have to say is that back slapping or a hug and a peck on the cheek among friends is not harassment. Forwarding SMSes or emails to friends is not harassment when you are friends, whether the forwards are tame or of the saucy or adult variety - it has to be taken in the spirit of camaraderie and if any one does not like such communications one can ask the sender to desist.

Of course if the sender continues to be a pest then the harassment claim will be valid and this can be man to man or man to woman or woman to man.

So where does one have to draw the line and why - if the workplace is equal opportunity then everyone is equal. Men and women. If so then why does the woman have the right to "claim" harassment and score on a man so easily - I mean she can get a summary judgement against a man just by crying out loud. And be sure that that man / officer will be ostracized in the office right away.

Another clarification - I do not condone the behavior of people like Rathore or Gill. They have no business touching the ladies inappropriately, gloating over their behavior and then using their powerful connections to browbeat their victims. Even with a man they have no right touching anyone inappropriately.

See - this is what I mean - what is wrong is wrong. And if you are going up to the moon in a spaceship how do live with three co-workers in a cramped spaceship. Or if you are on a sales trip with a couple of men co-workers how do you avoid the after hours bonding when you are all staying at the same hotel... how will you work together if you are not social with your co-workers.

Women are all over - one sees more women than men in jobs and it is great. They are a treat to the eyes and no disrespect here. So will I be hauled up for harassment if I look at you - i mean an approving eye is good but a roving eye is evil so how do you tell this apart.

What I do know is that from a man's perspective there may be a lot of potentially situations and one has to have a perspective on this. In any case, to go back to my first statement - women are strong and women want to be empowered so why not take the opportunity and stand tall. Why do u want harassment laws and if they are enacted why have you not asked for gender equality with the same fervor !

Dangerous corporate relationships - what an idea sirji...

2010-08-12T09:23:00.002-04:00

Note .. this has been re-posted from my blog infosecgallery.blogspot.com

Update: Aug 14, 2010

People just don't have the patience to read and are getting personal. So I have removed names involved... infer what you may!

I woke today to see headlines about the newest victim of sexual harassment in the workplace...

Aug 12 - Resignation of Idea Cellular's Chief Marketing Officer

http://www.mumbaimirror.com/article/15/2010081220100812025557903a5a89ba8/Top-idea-executive-charged-with-sex-harassment-quits.html

Reading through the article I could not help but feel sorry for [a] CMO and his family; [b] Chairman and the Company; [c] the telecom industry and [c] the lady who has charged misconduct and her family.

My opinion - Shooting straight from the hip (as usual) is based on this one article in the Mumbai Mirror, and I will refer to it extensively because I am going to read between the lines and you may find my digressions interspersed in italics -

[a] The accused - he is called one of the 'brightest sparks' and has been with the group for over 8 years. Inspite of the 'brightness' with reputed institutions behind him, he chose quit and not make a statement before the committee that was investigating the charges. And that too when he could have easily shot down the charges.

Why quit for something that is not proven and not fight back for your honor - get them to fire you ! Then he could have claimed wrongful dismissal !!

That he lived with the charges for two years is another black spot - why did he not actively pursue for closure when the first charges were leveled two years earlier. Obviously a lot of legal advice has been provided and this formed the basis of action (or lack of it) - so now he will be pronounced anecdotally guilty !

Read the report of the investigating committee and you find that it has gone to great lengths to state he is not guilty so why quit so why did he not lodge a complaint and allow the cops to take this incident to a logical conclusion.

It is always tough on the family and this one will be no different, and neither will life be different for him.

[My opinion] The newspaper report does not mention any closure. No complaint has been filed; no settlement is made. Nothing at all to suggest that animosities have been locked up and the keys are at the bottom of the sea. Of course both parties must have had to sign a hundred pages of legal documents and I am doubly sure they may not have read it.

[b] The firer - the investigation committee seems to have been constituted to fulfill a policy requirement but the decision seems to have been based on PR considerations. "Out dammed spot !" - is the only dialog I remember from Lady Macbeth but I also remember that dammed spots do not go away easily.

The committee accepted printouts of the SMS messages but did they get cellphone records too. Since they are a telecom provider themselves it is easy to access the records of their own people. Their findings are :

- the harassment charge and non-promotion are not linked so they do not accept her argument here!

- they cannot establish if the evidence (SMS messages) was genuine since she has submitted printouts.

- late night messages between someone your junior is inappropriate ! (hello ! So do u have a policy which says that you should be attracted only to people who are three rungs your senior or three places removed. A new fatwa on appropriate corporate behavior)

The harassment charge was leveled first two years earlier and that was not closed, and now again last year - so why did the company sleep on a potential workplace conflict situation ? If only a shareholder can file an RTI request there will be a lot of interesting papers to read. One more question that comes to my mind is that if there was this two year old charge why was the accused on the team that carried out her appraisal... how come she continued on his team and HR did not do anything to change her reporting authority.

Whoops .. sorry Idea ... ek aur question - are the SMSes one year old or two years old or fresh ? Obviously if the SMS is like two years old, we have a different motive to look at now. If they are new then I am sorry to say that he did not learn his lesson when trouble brushed past him during the first instance. I shall never know but may be some newshound will sniff out more information and share.

My curiosity is only to add to my learning and this is not a gossip or I-wat-to-gloat-on-your-misfortune request.

Finally there is an "overwhelming feeling in the company" that his "conduct did not amount to sexual harassment" - time for another hello ! are you being contrite just to assuage your guilt ! If this was NOT sexual harassment then why is the newspaper screaming SH ?? who is responsible for this ??

[My opinion] The company seem to have a weak incident response, incident management and remediation process. They have not resolved potential conflicts leading to the loss of a high performer. If there is truth in the charges and this had been closed two years earlier there may have been more "bright" ideas sirji in time to come! Now they have to search for a successor and this has to be done pronto since the CMO seat is now vacant.

Eight years is a long time and I am sure many other seniors/peers in the organization felt very bad about letting him go but that does not absolve them of the error of inaction or early action.

Surprisingly, when the investigation committee has given a clean chit the press is talking about sexual harassment - so who has created this PR bungle ?

On July 22, MediaNama reported that he is leaving the company to pursue personal interests and on Aug 12 Mumbai Mirror is screaming sexual harassment ! There is an obvious leak somewhere or is there more here than can be seen... rivalry, revenge etc

I don't think this is going to go easy - I am sure a non-poaching clause was inserted it the F & F with him but is there an I-will-not-leave clause with the people whom he mentored or worked with ? And there will be a date when the non-poaching clause will die - besides, how does one prove that some who joined him was poached and in any case there are a zillion ways to get around this.

"Employee Churn", "Attrition", "Head Hunting", "Poachers"... combine these words with morale et al and a picture emerges which may not be very pleasant.

In any case,sir this is your baby and my purpose is to comment on incidents and I am going to also write about sexual harassment so you may want to keep a watch on my blog.

[c] The accuser - about two years earlier she wrote to HR accusing him of sexual harassment but did not provide any evidence to substantiate her charges. HR withheld his increment based on the accusation.

Last year she accused him again and wrote to the chairman asking him to intervene and a committee was set up which I have written about. Now she has provided evidence in the form of printouts of SMS messages. The committee says that they cannot infer whether these are genuine and that there is no case for harassment and the company says that this was not a case of SH ... whatever .... he resigns and she has conveyed her "delight" to the senior management at Idea.

End of story.

However, my point of view must be made since this is my blog and I want to have the last word -

[My opinion] It is not easy to live in a man's world and to carry on a fight for sexual harassment for a woman. And when the woman is in sales it will be a bigger challenge because you are constantly engaged in inter-personal professional relationships.

You have to admire her confidence in her case because she withheld her mobile (prime evidence) and presented hard copies of the SMS messages and got the committee to accept this - now that is good legal advice and negotiating skills which seem to be missing elsewhere.

And I am curious to know why did she not present any evidence when she first reported the harassment by registered mail maybe someone will enlighten me someday ! If she continued in the company for a year after the first compliant she must be interacting with him all along so how come no one knows about the relationship ... good, close, only friends, enemies, hate etc. Certainly HR needs to come up with some sort of explanation.

And if this did not affect the work it is awesome ! Then what will ?

Finally a tongue in the cheek comment - is this the reason why we see Abhishek Bachhan morphed into a tree with wiry branches in the later day ads after the hugely successful Sirji campaign. The one where he whacks someone for cracking a sick one... post pedh or pre .. whats up sirji. (for the non-Hindi speakers - this is a take on the words post-paid and pre-paid as used in cellular phone schemes ask me to explain a sick joke and i wont like it)

Mark Hurd from HP, David Davidar from Penguin, Phaneesh Murthy from Infosys were achievers and lost a lot when they were ousted on charges of sexual harassment. A lot of money and more - so stay clued in for my next blog on women :) I surely have developed a new point of view.

This link will take you to my blog about women in the workplace....

Security Experts and more...bloopers !

2010-07-27T13:36:00.000-04:00

Our world is so dependent on technology that we are unable to close security holes as we strain at the boundaries of our imagination to build new concepts hitherto unknown.

So we have painted our world gray and recently we have moved into the cloud which has created orgiastic excitement among the techie mortals globally. Experts abound in this world and salary payouts are the stuff dreams are made of.

There are experts who provide newsbytes basking in the media glare using FUD as a vehicle of self promotion, and then there are also those who provide knowledge who prefer their low key life and are recognized in their professional circles.

And among the many bloopers that are contributed the newest one from an Information Security expert is

"You must do a background check when accepting a friend on any social network or taking a friendship further"

Another blooper that comes to my mind is about wifi networks, when Mumbai and Pune experts were obsessed with doing war driving to get information about open wifi networks.

"An open wifi connection is like showing an open door to terrorists to come into the country !"

I do not want to name names as I do not want to be party to their fame which is widespread. These experts are all over except in circles where one finds some genuine knowledgeable professionals. Mind you I am not one and nor do I claim to be one - I work in Information Security and spend every moment of my waking time trying to learn what my peers know.
What riles me is the way mediapersons fall over each other to get to the same people to provide (h)expert comments about any incident without even trying to understand it themselves.

For example - when this guy said that you should do background checks before befriending someone on social networks he was commenting on an incident about a girl falling into trouble with a f'book friend. She is about 17 and here this guy is asking her to do background checks on people who send friend requests. She would have checked the guy's profile before saying yes to accept him and I bet she does not know the meaning of "background checks". Mr Expert don' t you think it;s time you stopped !

Risks - known and unknown, new or old.. bad stuff happens

2010-07-09T05:21:00.000-04:00

Risks,.. they may be old or new, known or unknown, systemic or operational or financial, technology or enterprise. As life moves on and technology becomes all pervasive threats and risks take on new forms and mankind keeps learning to survive and live.

However this post is not about mankind and I would like to stay within the limits of my knowledge and professional domain.

New risks were exposed with "we-never-thought-this-could-happen events" like New York 9/11; Hurricane Katrina; Bhopal; Barings Bank; San Francisco Sys Admin Lockout; Mumbai 26/11; Icelandic Volcanic Ash; Swine and other types of Flu and so many such incidents.

People risks include many factors and a new risk that has come up is drunkenness. Getting high on alcohol while on the job is no doubt a risk and every manager has to call upon his/her best person-management skills to take care of the alcoholic colleague. Drunk at the office party and everyone knows you cannot hold your liquor and you have to hide yourself in a hole for the next week.

However, technology brings news risks and if you can remember [1] your way to office, [2] your password, [3] how to start your system - then you can do what you like and blow hole in your company's finances. Like this gent ...

City ban for £6m drunk rogue trader

30/06/2010

An alcoholic rogue trader who cost his oil firm £6million was yesterday fined £72,000 and banned from working in the City for five years. Read more...

So here you go and add this new threat into your risk registers - TUI (Trading Under Influence) Make sure you keep a close watch on the boss and the traders, especially those who have had a good time over the weekend !

And then there are other risks too but we shall wait for them to be exposed. Bad stuff happens. move over DUI we have TUI in the workplace !

The mighty also do stumble.. learn when the earth shakes

2010-04-29T01:54:00.003-04:00

Giants in their own right .. McAfee and Microsoft had a bad hair day.

First it was McAfee - on or around 4/22 they erred and sent out a defective update that disabled systems running Windows XP (SP3). This is your worst nightmare - the system you purchased to protect yourself itself brings you down ! Now how do you look at risk !

Then it was Microsoft ! They released an update which is supposed to be critical for Windows 2000 systems but was incomplete at the time of release. The update took care of a reported vulnerability but missed out on addressing a second and the update went out in the form where the user would still be vulnerable to attack (even after applying the patch).

Computerworld covers this incident here
... Microsoft re-releases botched Windows 200 update

Process failure,

process failure and

process failure. No one is perfect and neither do I profess perfection. It is a state which is extremely difficult to achieve and then more difficult to maintain.. all because perfection is a utopian state which exists as much as zero risk !

Having said this, what surprises me is the gap in the process where these incidents fell through. While Microsoft has not had anyone reporting losses due to the incomplete update patch, McAfee has to pay for their gaffe.

McAfee has admitted to a problem in the quality process. They say they made changes in the QA system and as a result a faulty DAT file went through ! Nice ! Changes are being made to ensure this does not happen again.

They have issued an apology to their customers and offered to compensate those who have been affected by the bad update.

The lesson is clear - ensure process compliance and make sure Change Management is a serious process and there are no exceptions. If the mighty can stumble, the small and medium (meek) business do not have a hope to survive.

What I like is the quick proactive stance of McAfee - they went into damage control immediately and apologized. This was followed up quickly with the compensation offer which may not help much but is an offer nonetheless. It also reminds me of Toyota and the various other car companies that have recalled their cars to fix faults. Unfortunately you cannot do a recall in this scenario - the arrow is out in flight and will either hit or miss ! no way you can stop or recall it !

Converged Best Practices and Standards Provide Assured and Hard ROI..

2010-04-24T03:01:00.001-04:00

one only needs to think ‘inclusively’

We grew up seeing mountains of files in the backrooms of our parents offices – an age when we cut trees to make paper and created filing systems that could occupy buildings. Then came the digital age and we continue to fell trees and create complex filing / storage systems in servers which are housed in huge data centers.

The digital age promised savings in space, storage efficiency, lightning fast data access and retrieval, remote access… in short, information at your fingertips for a wired you !

Notwithstanding these claims, we continue to struggle to find “that” file, as much as we struggled in the Paper Age. And, if, in that age, we needed warehouses to store files such that they were safe from the weather and were findable, we are no better today when we need large data centers with backup facilities in addition to the huge back-office and front office data processing facilities.

Fundamentally, the technology is right and so is the process which is where we placed our bets. We forgot the people and this is what is making us lose out. There are smart companies who have not overlooked the people factor and are enjoying the fruits of the digital age, but a majority continue to live with the mirage of digital efficiency.

It is payback time and it is time analysts and architects working in the technology domain in data centers, infrastructure, security, governance et al remove their blinkers if they want to survive in the years to come. Else, we may as well prepare for the dark ages.

Data Centers are growing organically and their rate of reproduction would put a rat to shame. Unfortunately the executive measures his efficiency with the size of the data center or the number of computers in the hands of users, and considers security is in place with devices like firewalls, IDS/IPS or, lately, the UTM.

The truth cannot be further away and few farsighted and visionary companies have read between the lines and through the paper to enable people with the right mix of process and technology. This is done by simply following any best practice or standard in the spirit. Any best practice or standard, say an ISO 9001 or an ISO 27001 or a BS 25999 or a CobiT® can bring high ROI and provide clearer vision to management.

The CIO/ CTO/ CEO have to expand their vision… the IO and TO have to stop being IT centric and think enterprise and the EO has to include IT in the vision process, and maybe everyone has to learn about each other’s business. So the technology people must go to management school to learn financial statements and what makes the company tick and the executives should learn the essentials of systems in terms of how and what they can do. It will open up empathy across business lines since people will start thinking in terms of business and not just about how tough it is to get the executive to understand a simple thing like TCP/IP !

It is surprising that the technology executives have yet to think in terms of building-in security or process best practices when they conceptualize enterprise IT architecture. While they are quick to embrace new technologies like cloud, virtualization, SaaS etc they are scared to “experiment” (? This is the wrong word but I shall use it for the sake of generalization) with Open Source. Simply put innovation is not in place because the technology executive is not sure about technology and the benefits it is providing. They race to provide facilities and do not pause to measure; nor do they manage the race since they are driven by the geeky impulse to tinker with new technology, just to ensure high visibility optics.

Starting with data processing facilities, the technology office will do well with a general house inventory. The industry best practices have defined information assets but no one wants to classify digital information and sensitive repositories overlap general storage space. Apples and oranges are stored and handled in similar fashion and disasters will always be waiting to happen.

All practices lead into each other or provide supplementary and supporting value. To illustrate .. classification of information leads to the creation of a risk based inventory. This will help determine the server and storage location for the digital asset, it’s owner, backup, continuity and disaster recovery plans. In turn now one can provision resources for protection, availability and safeguarding to focus on assets that are critical, sensitive or important for business.

Industry figures say that organizations can save up to 30% of asset and resource investment just by having a risk based asset management that talks to change management, incident management and other processes in the organization.

Moving on, environment issues are being discussed fiercely over the past few years but inclusion of Green IT practices in organizations has been surprisingly slow. And that too in the face of the fact that green practices can provide immediate savings in the data center.

Including green practices is simply an activity that extends the best practice processes that may already be in place. The asset inventory done earlier has provided the organization with a map of the information store and the next step is to move non-sensitive information in to virtual data stores and free up server / rack space. Any organization (small, medium, large) will usually save upto 30% of their hardware utilization if information (data) is managed in a structured manner. The fallout is pleasantly evident in immediate returns by way of reduced power consumption and freeing of hardware assets and rackspace (real estate). The power savings accrue due to the reduced number of servers, lowered air-conditioning and lighting requirements.

Similarly managing paper and toner consumption on printers and running awareness programs to reduce unnecessary printing lead to substantial cost savings.

End point security is a big issue and every sysadmin wanting to demonstrate diligence will spend hours looking for exceptions, using state-of-the-art network monitoring tools. Unfortunately he/she is not guided to extend the monitoring to switching off unmanned machines. This is a security best practice and leads to energy efficiency which means immediate hard savings in energy bills.

Intelligent compliance provides overlap points and easy extensibility of best practices for the CIO/CTO/CSO to extract savings in hard cash or intangibles. Green initiatives include virtualization, switching off devices and lights, lowering energy consumption through alternative cooling efficiency systems in data centers, managing server load processing, optimizing network bandwidth use (for example managing spam or unnecessary exchange of files as attachment), introduction of automation and workgroup / file sharing tools, monitoring energy usage with remote shutdown and management, adopting energy and money friendly lighting systems.

Loosely this translates into uncommon common sensical initiatives. Every technology and security manager is exposed to new initiatives in the world of innovation and has to start looking at innovation that will provide value to the enterprise in terms of savings, income, efficiency or productivity. The answer is at hand and only needs the CxO to extend the line from vanilla best practices and standards to thinking of compliance convergence and then to garnish this mixture with a dash of innovation ! It is easy and the benefits are quick to come by.

New disaster scenarios....

2010-04-23T00:44:00.003-04:00

Life, nature and things super-natural never cease to surprise. The BCP/DR domain came face to face with a new scenario - Volcanic ash !

Just goes to show how incidents can be man-made or natural and may or may not be in our backyard but still the kick in the butt is as strong as being in the epicenter of a10 Richter strong earthquake.

Over the past few weeks a volcano in Iceland with a ~~difficult~~ name has made life difficult miserable for airlines and travelers worldwide. Ash from the volcano has been carried over Europe making it dangerous for aircraft to fly resulting in the closure of airports across UK and Europe. Due to this closure, thousands of passengers have been stranded at airports and cities across the world.

The financial losses are tremendous and mount by the day ! Airline companies had to provide layover facilities to stranded passengers and this has burnt a big hole in the operational budgets. Aircraft are idling, parked at the airport(s) and unable to move, so there is the additional fees payable every day. Companies selling fuel, services, food etc are also losing money - if the aircraft do not fly who is buying ! Tour operators have to deal with extended stays since they are unable to get their clients back home and then are unable to send out the new.

The British Government sent out naval frigates to bring back their citizens but how much of a difference will this make. According to reports, about 30,000 or more people are waiting in India to fly out.

While planning Continuity or Disaster Recovery this is a new phenomenon to be added to the list of disruptive incidents. Earthquakes, tsunamis, pandemics, wars, terrorist acts etc have already shown their ability to disrupt business across borders, but now we have volcanic output.

And how does one assess the risk of disruption when the volcano is on another continent. I mean should I factor the risk of a volcanic eruption in Japan when planning in India ? It seems that (now) this is necessary - even if I am not doing business with Japan. And for a US corporation it will be important to factor this risk if they are doing business in India.

To recap, we visit a few 'new age' disasters where boundaries are meaningless...

- Terrorist attack : 9/11 changed the world and the aftershocks continue till date. Closer home in Mumbai 26/11 brought about a sea change here in India. Then there are numerous threats and warnings everyday at airports and installations across the world that keep security agencies on their toes, and continuously disrupt life and business.

- Tsunami: the big one in South Asia brought about enough havoc that the reverberations were felt worldwide.

- Earthquakes: These keep happening and data center planners talk loudly about fault lines and the risk of siting in so called 'zones of potential disaster'. While I do not profess building in such areas I do want to raise my voice against doomsday pundits. Earthquakes may happen far away but can affect the well being of the country as a whole and result in a lot of hardship for the company - foreign exchange value higher prices etc

- Volcanic eruptions - the new babe on the block. I have see if anyone had identified such an event as a major global disaster.

- Pandemic: bird flu or avian flu, swine flu H1N1 and even things like heat-stroke !

- Many other scenarios emerge when one thinks ... fire, floods, rain, outages, cyberattacks etc etc.

The world is shrinking - this is for sure. And we thought it was just the digital world but even the real world has become smaller.

PwC .. unethical bids based on lies

2010-02-22T05:00:00.002-05:00

PwC is lying again. They bid for an eGovernance contract with the Central Public Works Department (CPWD) and submitted that they were a CMMi level 5 company. Turns out their certification expired in 2008 !

Now they show their lack of respect for the system and any sense of honor - they say that since the contract is for "software consulting" and not for 'development" CMMi is not required ! And that currently they have an ongoing appraisal for their CMMi certification. Additionally that they have obtained other similar contracts without any issue so why is this an issue here.

Hello ! wake up !! CPWD asked that qualified bidders must be CMMI Level 5 certified and you are not. If you had these explanations, you should have put them up in the proposal or in the pre-bid meetings.

Why did you lie. OK you did not lie, you just did not tell the truth since your document did not disclose the expiration date and the whistle was blown on you by one of the competitors. So why are you crying like a spoilt brat (which you are). And why did you not just say that it was an error instead of covering the lie with more untruth.

Clearly shows lack of ethics and sense of fairplay. First you cheat and then you cry foul when caught.

Check out the media coverage (page 30) http://epaper.mailtoday.in/epaperhome.aspx?issue=2222010 or read some more on my other blog PwC .. more lies and misrepresentation - they need an lesson in ethics !

My take on the fallout - someone at PwC will get a big kick on his / her backside and rightfully deserves more. Even the company deserves more considering their role in Satyam !

And of course, someone at at competitor company (Wipro or VAM) will get a promotion and a big fat bonus (rightfully so !).

PS: if any of the persons from Wipro/VAM/Pwc read this i shall be very happy to get a communication from you .. tell me about the pain and the gain ;-)

The Confessions of a Chief Executive and his lost laptop

2009-12-20T11:30:00.002-05:00

The Confessions of a Chief Executive and his lost laptop

This is a nice fictional account of a CEO who lost his laptop and surely a tale worth sending out in the organization!

http://www.infoseccynic.com/2009/12/16/the-confessions-of-a-chief-executive-and-his-lost-laptop/

The IIM CAT debacle - egg in your face !

2009-12-01T04:46:00.004-05:00

December 01, 2009

Indian Institute of Management (IIM) is the 'holy grail' amongst management institutes they run a tough entrance exam that goes by the acronym CAT.

Well they decided to automate the testing and got into a $40m relationship with Prometric.

On exam day hell breaks loose - and you can read stuff all over the net

http://timesofindia.indiatimes.com/india/IIM-A-names-2-viruses-that-caused-CAT-chaos/articleshow/5286411.cms

http://www.bloggernews.net/123153

http://www.telegraphindia.com/1091201/jsp/frontpage/story_11806691.jsp

Simply put - they bit off more than they could chew. These management gurus just did not do anything they teach (and I daresay that I have met some of the graduates who are yet to learn some basic lessons).

No one has done a risk assessment. No one seems to have done any capacity planning ... nothing. Prometric seems to be clueless about how to handle large orders ! They have been unable to put together adequate resources for handling 25000 exam takers in a day ! There is no contingency or recovery plan in place - talk about over-confidence.

These big-guys sitting in their ivory towers now say that it was a virus attack at a few centers. Thats so silly - they can't even get an excuse correct. I mean if you do not have the guts to say you goofed up in all honesty, then what is it that you teach these "best" brains ?

So will you teach them the 'art of glib statements' and 'excuses'.

Unfortunately this is another case of a system failing and causing stress to students and their parents. And the people who run the system are not bothered because they do not value the human being. These youngsters spend thousands of hours studying hard preparing for the exam day and these guys messed their preparedness by building a weak system.

Earlier this year the new online automated system for junior college admissions in Mumbai messed up really bad and thousands of students seeking admission were put to grief and stress. The college admissions system goof up was also explained off by excuses, and now we see excuses again.

In stark contrast we have the example of the US Secret Service who apologized for the lapse when a couple gate-crashed the dinner hosted by the President for the Indian PM.

High time we grow up and owned up our mistakes and made genuine efforts to correct ourselves.

Univ of Brighton research paper - bunchof lies !

2009-11-06T00:43:00.004-05:00

I had forgotten this so called research paper but an article in the Economic Times prompted me to seek answers from the "researchers" at the Univ of Brighton.

These guys have a shallow paper based on heresy, misplaced / racist perceptions of the developing world and they pass judgement.

Then they do not have the decency to respond to any objection to their "paper" ... is it a problem to face up to your mistakes!

Phishing study: Bunch of lies
Kamlesh Bajaj / November 05, 2009, 0:46 IST
A team of researchers including professors of University of Brighton published a report in July 2009 titled “Crime online — Cybercrime and illegal innovation”. It was picked up by online news channels and quoted in news items to propagate lies about so-called cybercrimes in the business process outsourcing (BPO) industry of India. The report tries to present data from the annual reports of the Indian Computer Emergency Team, and Symantec in a way that suits its story, of India being a centre of cybercrimes and in general being a weak state. We want to set the record straight............... Read More

Now this is Dr Bajaj blasting them above and they deserve it.

I had written to them in August but they did not bother to reply, so now I am forced to put my email in the public domain:

Dear Messrs Howard Rush, Chris Smith, Erika Kraemer-Mbula and Puay Tang

I am writing to you with reference to your research report "Crime Online - Cybercrime and Illegal Innovation"

This report has been quoted as the source that states "India emerging as major cybercrime centre" and has obviously raised many doubts about the veracity of your study. A very alarming statement in your report says that cyber crime has increased 50 fold in India during the period three year period from 2004 - 07 and this is pure conjecture since you are referring to statistics for security incidents and not cyber crime and there is a BIG difference between these two.

A small search would have brought you to the Natoinal Criminal Record Bureau of the Government of India and you can easily get the cyber crime statistics.

While you are publishing your report in 2009 you are relying on news articles that date back to 2005 and your report uses these isolated incidents to irresponsibly pronounce judgement ! Sad, to say the least. Especially when you folks are living in the UK which is a "cybercrime-incident-a-day" country.

As I write to you I have this window open http://www.out-law.com/page-10309 which is not something to be proud about.

I am also taking the liberty of forwarding a digest of discussions (# 1171 of Aug 21) between people on the India Infosec mailing list relating to this report. Brickbats all around for you, sadly, for trashing the BRIC countries. Do join this list to know more about the opinions of the security community.

Your papes has been quoted here :
http://timesofindia.indiatimes.com/news/india/India-emerging-as-major-cybercrime-centre-UK-study/articleshow/4911097.cms
http://www.livemint.com/2009/08/20000730/India-emerging-as-centre-for-c.html?h=B
http://www.ndtv.com/news/world/india_emerging_as_major_centre_for_cybercrime_uk_study.php

My final word here is that there are so many "experts" sitting in their lofty citadels who are driven by the need to generate copy. Information Security trends, issues etc cannot be judged on the basis of old articles and researchers must first understand the subtle differences in the jargon used in the business. For example, as every IS professional knows there is a big difference between problem management or incident management !

In any case, with the large number of white papers, content, research on the net it is important that one is cautious about what to accept as true :)

Monster follows Heartland...

2009-01-30T03:42:00.003-05:00

A monstrous data leak at Monster.com has been announced.

It's customer databases has been hacked for the second time in six months. They have lost user information which includes IDs, passwords, e-mail addresses, names, phone numbers, birth dates, etc. How many records are compromised is not known except that this affects monster.com users in America and Europe.

So just take it easy if your name and personal information is used by someone you do not know.

The reason is simple - Heartland happened and now Monster and both maintain that your personal information is compromised and that they have a challenge to come up with any definite numbers. So you may be in it or may not be in the hole.

The New Year begins with a bang ! Break My Heart....

2009-01-21T21:39:00.004-05:00

What a start to the New Year ! And they told me 2008 was a bad one.

January '09 and we brought in memories of a tragic 26/11 here in Mumbai. And we did not celebrate the passing of the old year so was this due to the baggage we carried from the last year or a foreboding of the times to come.

Seems to be the latter... when we take stock on this 21st day of the year 2009 AD. (And when I think about the 344 odd days ahead a shiver runs through me)

First Satyam lives down it's name. Raju confessed that he was lying for the past 7 years and more. So a billion dollar behemoth shows it had no pants (maybe no underwear too) and all the good men running along with it also may be in the buff. That was a $ 1.2 b shocker and for those of you who do not know this, the word Satyam means "truth" in Hindi / Sanskrit.

Now Heartland breaks my heart by announcing the mother-of-all breaches. They say they have been compromised. Heatrland processes about 100 millin transactions every month and we can well imagine how bad this is going to be. TJX now may seem like small change because Heartland has beaten them to the tape.
It seems that they have a backdoor running on their systems for quite some time and that they have foind 'multiple' instances of malicious software on the network. Now they will work to make things better by bringing in "a next-generation program designed to flag network anomalies in real time".
Cute.

Confickr a.k.a. Downadup is a big bad worm spread to over 3.5 million PCs worldwide and has the potential to create "one badass botnet" according to F-Secure. So users be warned about using your convenient USB sticks. Read more about this online before using your USB drives any more, or any autorun device.

So this is it, in three weeks we have three major events one in the east, one in the west and one worldwide. That's a nice number once a week.

And I am not yet talking about the seesawing markets or the billions that are still being handed out to the big banks and corporations to help them stay alive or afloat.

There it goes... the mantra for success : Incorporate and employ thousands, since the numbers are so big some fools will pay you for nothing (the numbers will impress and so will window dressing like sub-prime). In a few years go tell the Government (whisper to them) that you are going under and they will give you a billion or a trillion, then they will lower interest rates and generously fill your begging bowl.

We shall soon see a new elective - the art of becoming a C-level beggar.

Governance... whats that ! Happy New Year !!

2009-01-15T20:50:00.003-05:00

The New Year has got off with a bang. India's Big-4 IT company has shown that it does not have underwear - the king without clothes and all along we believed that they were the best. Satyam Computers is a billion dollar plus company doing great business, employing 50,000 people across the globe....... and living a fraud.

The boss man at Satyam confessed that he has been cooking the books of accounts since the past 7 years or more. And this fudging has snowballed into a huge $ 1.2 billion hole in the company's statement of cash in hand and bank deposits. If this was not enough, Raju also said that revenue figures had been and margin statements for the quarter were inflated !

Satyam board had approved the purchase of companies owned by Raju's sons and the shareholders smelt a rat and Satyam's stock tumbled 55% on NYSE. The decision was withdrawn in an hour but this action brought greater scrutiny and the house of cards collapsed within a few days.

Governance norms were thrown to the wind by this company which was recently recognized by an award for good Governance (Golden Peacock).

What is surprising is that the directors, auditors, accountants and managers all say that they did not know about this. And this fraud has been going on for so many years now. So we must assume that Raju is super human and a super-genius to be able to put a mask on so many players at the same time and be able to successfully cloak numbers in the account statements repeatedly.

According to Raju he could not get off the tiger he was riding. It is common knowledge that you sleep with the devil and you get burned. He started a con job and the con grew bigger and bigger and there was no way he (or his cronies) could handle it.

And all these cronies are crying out loud claiming innocence. The auditors say that they relied on documents provided by the management ! The CFO says he did not check the balance sheet and that it was prepared by his VP !! The Directors say they accepted what was presented to them - ta face value !!! It is highly irresponsible to sign on public documents asserting they are correct and then not being able to stand by the same documents. All these people were busy being wined, dined and rewarded with cash and gifts and never gave a thought to their responsibility towards the shareholders.

Hope they are brought to book too, and get to see a jail from the inside. The reason is that this is a typical line of thought - nothing will happen it is India. Our investors association hardly has any teeth to fight for rights and bring these large corporations to closure. Well for once they were wrong because they did not factor shareholder anger in the US.

And thank God for this wake up call. Companies must embrace the practices of good governance not for complying with public sentiment and regulatory requirement. Any corporate leader with a decent amount of common sense can reap benefits of good governance by way of efficient processes and increased brand value which will provide ROI in the form of savings and stakeholder / customer confidence. The trick is in implementing governance initiatives in the spirit and do not worry you are not exposing yourself but you will be cleaning your act.

Squatting does not pay

2009-01-15T20:32:00.004-05:00

Cyber squatting followed by a ransom demand in full public view does not pay. International laws have converged into the norms set by ICANN and WIPO and these do not support any form of cyber squatting. Add a ransom and you have trouble while you squat.

Way back in 1995/96 in the early days of the Internet in India, I remember being asked by a client to book domain names of various established firms in India. I spent a few hours explaining to how it did not make sense and the problems he could face ahead for playing around with an established trade-mark. Cyber squatting was very much on the mind of the such people and some people must have made a killing but I would like to believe that a majority have been evicted without any gains.

This recent case should provide some guidance for deterrence to wannabe squatters and in-the-act squatters should vacate the domain names and garner some goodwill from their victims. The goodwill may generate rewards too, like any good deed brings some good by itself.

-------

World's second richest man gets Web name back for free
Wed Jan 14, 2009 12:21pm EST
GENEVA (Reuters) - The world's second richest man, Mexican telecommunications tycoon Carlos Slim Helu, won control for free on Wednesday of a Web address in his name that an Indonesian had tried to sell him for $55 million.

----------

Aligarh police crack cyber crime

2008-11-28T06:47:00.004-05:00

This a good news and shows the increasing awareness among the law enforcement fraternity in the country. Mind you Aligarh is not a Bombay or Delhi. It is pretty far away from the hustle and bustle of a big town and is a growing city.

http://in.news.yahoo.com/32/20081126/1053/tnl-aligarh-police-crack-cyber-crime.html?printer=1

HT
Wed, Nov 26 02:05 AM

THE ALIGARH police have cracked the case of cyber crime clipping on the google and youtube websites under the title 'Save Aligarh Save Aligarh', propagating employment of child labourers for manufacturing of hardware and locks in five biggest export players homes, including prominent exporter Prashant Enterprises, in Aligarh. On the basis of an FIR lodged by Managing Director of Prashant Enterprises, Aligarh, Ramesh Chand Singhal charging the google clip - which propagated the name of his export home - with mischief by showing Prashant Enterprises using child labourers in its video clip, the Aligarh police raided the office of one news channel based in Sector 6, Noida and arrested Ram Nagina Yadav, an Information technical head of the news channel and detained its other two employees Rudra Pratap and Gaurav Garg for interrogation in the matter. Superintendent of Police (City) Man Singh Chauhan told HT that Singhal had lodged the FIR on October 20 under IT Act that some unidentified person had uploaded a video clipping showing child labours were working in his unit and that the video clip was being posted on google.com and brought to the notice of major importers of the Western countries with whom Prashant Enterprises has export ties. Singhal stated in his FIR that the said clip was fabricated to defame his concern at the national and international levels due to which Prashant Enterprise had not only suffered a substantial loss in its export business but it also received threats, Chauhan added. He further said during the investigation, the police also cracked the e-mail identity which had uploaded the said video clip on Google website. This exposed that the clip was uploaded by the office of a news channel situated in Sector 6 in Noida, he said. Thereafter, the Aligarh police raided the office of the news channel on Sunday, he said. Chauhan further added during the interrogation the three employees of the channel disclosed that their employer Surendra Gupta and his sons Abhishek and Sunil Gupta had directed them to upload the clip on the google website through Rudra Pratap's e-mail address. Efforts are on to nab Surendra Gupta and his sons, who also run an export business, he added. Meanwhile, the news channel's owner Surendra Gupta told journalists here over phone that he had received this video clip from one television reporter of Aligarh but he refused to telecast the video clip, as his channel was not functioning in Aligarh. "I have no knowledge as to who had uploaded this video clip on the internet," he said.

Compliance is the fuel for InfoSec initiatives ?

2008-11-11T23:56:00.004-05:00

The law is a strong whip to crack when you need to get people in line and the need to comply with the law of the land where you are from and the law of the land where you work increases the stress levels of individuals and organizations.

It is a known fact that IT, IS, Governance, IT Risk Mgt are always short changed in terms of funding. However, it is also known that Compliance requirements are disposed off with no thought of expense. Consider the billions spent on SOX compliance which could have been saved substantially if these very corporations had a semblance of Security / Governance / Risk Management best practices in place !!

But no ! They all had to build it all from scratch and in doing so they spent millions, nay they spent billions.

Having spent this money, they sat back and waited for the next compliance need since the 'SOX project' was over. Well we now see that they did not learn anything from SOXing their corporations since everything was done just for the sake of doing it and not for the spirit. Else they would have been able to discover the fact that the banking system was rotten within and would not be able to survive another few years.

Dear reader, you know all about Enron and WorldCom. Well they just screwed a few pension funds and a few thousand employees. They did not bring the financial system to collapse point. They did not bring G-8 and G-x government heads together to pump billions into the system. Their collapse did not bring about a global meltdown. Their collapse did not screw investors worldwide, it did not butcher governments, trade, manufacturing, support etc etc.

I think a few thousand billions have already been poured into this black hole and they are still crying for more.

Well coming back to Compliance - it is time to take advantage of this whip and turn the whiplash into a pat on the back. Time to move ahead of the pack and turn this "requirement" into a strength and extract a pound for every penny spent.

Welcome to the thought of Unified Compliance or Integrated Compliance or whatever you may call it.

I had made a presentation ICAI in India, and at iSAFE in Dubai last month in October. Follow the link to download these, if you are interested.

Catching them early ... build security in to the psyche

2008-04-10T22:31:00.002-04:00

I have been thinking about this for quite a while, and had written to a management institute in Mumbai (India) to propose an addition to the curriculum, and establish thought leadership in IT education in the country.

Since I had been a guest lecturer for two semesters for the IT Audit elective in the IT Management curriculum, I wrote to them, as they were the only institution I was familiar with someone in the management. I have not got a response from them yet, and I shall look at some means to connect with other institutions in India and elsewhere.

And today I read Mary Ann Davidson's blog ... she has obviously spent a lot of on this as compared to my stumbling on a thought while rambling away. And she would, since it is straight off something which has clearly been an issue at her organization and more.

There are a lot of things which are right in what she says but then the American psyche is to think University and a formal regulated education system. My thinking about the subject was more grassroot level, where the problem begins.... and being from India, I tend to think neighborhood before going mainstream.

My thoughts go to the zillions of tiny, mid-sized and large institutes that dot the Indian countryside and cities - teaching Oracle, Java, .NET, C and what have you. Costs may start as low as $100 and students are usually new graduates from school or university. They are looking at learning 'computers' to get a break in IT and make a good salary. Many are guided by word of mouth or by a counselor that a certain course is 'hot' in the market and that it the motivation to join the course - he / she will finish the course in 4 - 8 weeks and try to join the developer maiknstream. These students may or may not be engineering or science graduates. The instructor may usually be an ex-student paying off his / her discount from the course fee for a stipend, teaching by rote from the book which he / she learned from a few weeks earlier.

These students are hired by companies large and small, put through the in-house training, if in a large organization else he/she learns on the job, deployed on development projects for overseas customers.

This is the bulk of the workforce which grows in their roles, the smart ones pick up certifications and skills and grow. Others take time, but they grow too since they keep learning better practices.

So how does one control the millions of students who are half-baked in terms of their understanding of the processes underlying the systems they are going to program for, and are unaware of the expectations these systems and industry have from them !

This is where the solution has to be found... yes the large organized and funded universities and institutions will teach security as part of their programs and the Ivy league member will come out of the education system properly ordained into the culture of security and best practices, but the bulk of the workforce still remains to be addressed.

I don't believe DHS, or the Universities can do anything here, as this solution has to come from industry leaders like in software, hardware, databases like Microsoft, Oracle, Sun, Apple, Intel, AMD and others. The underlying systems have to be tuned NOT to accept calls under normal computing commands.

If I am designated as a common database user why do I need to look at the structure or permissions or settings. My application interface is built to carry out my read/write and report functions. In such a scenario, a default database installation may be conifgured to accept calls ONLY from applications X, y and Z and only and forces a change of the Administration login / password on installation. The argument will be that this can be taken care of by an Identity Management System, but how many IdM installations do we find in mid and small sized companies. Or, large companies for that matter.

Underlying systems have to demand secure access and practices from the application layer and the GUI. This will force the industry to ensure that secure practices starts getting the same level fo importance as syntax. Sit in a class, and you will know that the only thing taught is syntax and compilation, debugging and rollout. Testing is a different profession !

Another example can be to have a feature for securre documentation. Or term it secure editing. If I coin an industry word it will be secure word processing. As MS-Word is the most commonly installed word processor, why does Microsoft not have an add-on which will provide a secure documentation feature. This can be a common feature in the application which will encrypt the document as it is saved. The application will use the owner's private key and challenge questions which will have been stored in the user profile. This can be an enterprise feature too, and will help save countless idiotic incidents where data is lost by banks, corporations and government agencies.

Security and Privacy are necessary to be safeguarded and the psyche has to be tuned to accept this as a way of life. Education has an important role to play and must start as early as possible. Going back into school and early years when the child is exposed to computers and computer games it will be nice to provide the knowledge to him / her that the machine is highly versatile and will help do all sorts of work and will entertain too, however, while enjoying the fruits of computing power there is a certain way of life which has to be followed (online and offline) and that is the path of secure and safe computing.

Societe Generale .. messed up information security controls

2008-01-30T22:12:00.000-05:00

They say that they have SIX levels of controls.... so were the controls working ? or were they drunk (or disabled to allow easy access) for over a year.

And what were the auditors doing !
And the managers to whom M Kerviel reported.

Obviously Societe Generale team has no clue about the concept of Segregation of Duties, or Identity Management at the first level. One would expect that SOD would be in place and responsibility levels would be established. There seems to be no limit on the transaction value which an individual can transact and to top this sad state of affairs, there is no oversight on the actions of the trader.

The the spirit of Governance is sorely lacking in terms of communication, in terms of transparency since this is a public institution, in terms of (seemingly) witch hunting, in terms of absolving the Chairman of any responsibility in the affair. The basic tenet of good governance is that the bosses are responsible for EVERY MESS as much as they are responsible for every win, and that they have to know what is going on in the organization, especially when the risk is so high.

Incident Management sucks - their Communication plan is all messed up. Every statement has been made when their knee jerked. Statements do not seem to be backed by any investigation and just make allegations. Then there are mis-statements like the correction of the original amount of $ 7.1 bn being split into 5.1 from the trade and 2 from the sub-prime exposure.

Their reputation is already in the pits, and with these gaffes, they are just making themselves look sillier and sillier. If bank chairmen are such, I think I can do a better job

Risk Management ... does it exist outside their policy book ? They claim to have the most sophisticated risk management system, but does it exist in practice ? That is the catch and this is how it is everywhere. Policies are made along with loud noises but then what ? Does the policy move into practice and is the practice sustained, is the billion dollar question. Everyone wants to know how this works at SG and it is anyone's guess if these guys are going to share their sob story.

The jury is out on this ......... a trader is exposed for about $ 50+ bn which is enough to wipe out the bank. And NO ONE IN THE BANK KNOWS ! So does he not report to anyone. Are there no pay-outs or pay-ins which have to be entered into the books of account, no checks to issue, no payments to acknowledge - do we assume that he made the trade, then HE wrote up the books of account and then HE signed any check / voucher. In other words he (a junior trader) ran the bank department or HE was the department.

We do know that red flags were raised about his positions, so was his work put under review and was a limit set to his activities.

......... there is much much more here and it will be a great drama which will unfold over the next few days / weeks. We have the first statements from the 'rogue trader' and as he talks and as the police investigate at SG we shall see and hear a lot more.

The article on the BBC website is an interesting read. SocGen Unhedged, by Robert Peston

Societe Generale ... lies, lies and all lies

2008-01-30T21:51:00.000-05:00

So Societe Generale lost 7.1 bn last week, then restated this to $ 5.x bn because 2.x bn was a loss from the sub-prime plague.

And it was a rogue trader who opened SG's purse but was it a rouge rat who cast the sub-prime spell on them ? Who has been blamed for this ?

Daniel Bouton, the bank Chairman, is on a panhandling trip to get $ 5.x bn and keeps his job, while his resignation is still on the desk. A moral resignation nevertheless which was honorably presented the moment the s%6t hit the ceiling.

Consider the lies which has been hogging the news :

First it was "Rogue trader defrauds the bank of $ 7.1 bn"

There was no defrauding the bank. This guy was doing his job, a and that too too independently. There was no one checking his work ! Cool........ give me the bank treasury and I will also play the stock exchange at will.
Hey what happened to the 7.1 bn - now it is only 5.1 bn ! the other 2 bn is actually the hit SG got from the sub-prime exposure and sorry the Chairman goofed up in his communication to the Prime Minister and the Central Bank and the public and shareholders at large.
Its okay this is just a couple of billion here or there ! So what if I just messed the European market a tad while squaring all holdings.

And he was "a junior trader, recently promoted from the back office. so he has intimate knowledge of the systems and easily circumvented controls"

Another white lie - he has been trading since 2005 (?) so that is pretty recent ! Three years on the trading desk and he contributed €1.5 bn to the bank kitty with his trading profits last year. Pretty cool performance for a junior trader and I am sure there was a lot of Champagne and partying at the end of the year when the numbers came in. Will you be surprised to find that the Chairman sent a case of Dom alongwith a card ?

The Chairman said that he did not know him...

OK we shall take it at face value. The Chairman is not supposed to know everyone in the bank. And considering how loose the controls at SG are, I am apt to believe that there are hundreds / thousands of traders betting the banks pants everyday and making a billion plus for the bank every year.

Now.......
The French government wants to protect this institution from takeover without realizing that it will be good for their health if this is allowed. At least the new owners will bring in a training program on 'Better Communication Skills for Chairmen"

I seem to be forgetting the information security and risk management aspect of this episode .... and will cover this in the next post.

A Security Incident looked at closely

2008-01-16T13:17:00.000-05:00

Incident Response, Handling, Management and Post-Incident actions are crucial to any Security program and this is a well recognized fact. Many companies do not test their systems, many do tests using internal 'gurus' who are generalists or hobbyists, some do it for the sake of meeting a regulatory requirement and so on. And unfortunately there are attacks and then there are attacks which are undiscovered.

And there was the mother of all compromises - the TJX Maxx incident which went undetected for more than a year.

A very interesting 'anatomy' of a hack was published and provides a situational view of what is happening and what to do.

Anatomy of a hack attack
Sally Whittle ZDNet.co.uk
Published: 07 Jan 2008 16:39 GMT

With the help of security experts, we recreate a typical hack attack on two large organisations and walk through the steps that the head of IT should follow in such a case.

(the print version of this article is here)

It will be to the advantage of the security organization to build a culture of proactive security and to continuously update and test their responsiveness to incidents. The security officers must also participate in meetings with law enforcement agencies to be informed about ground realities and any happenings which may affect their organization too.

Dinesh

Education system should include IT Security

2008-01-15T15:07:00.001-05:00

Education is key to building a culture of respect for the system in which we live, for nature, for our fellow beings and for all that which is not ours. This does not mean that I should not respect what is mine !

To get back to the subject of this post... I mentioned the need to "reorient" education at all levels and today and this is what the MP is talking about and thats the way to go.

MP: Children must be taught IT security
Tom Espiner ZDNet.co.uk
Published: 10 Jan 2008 16:55 GMT

The UK government has said that young people need to be educated about IT security.

Minister of state for schools and learners Jim Knight told ZDNet.co.uk on Wednesday that, as there is increasing online interaction between schools and parents, young people need to know about the possible dangers of IT security being compromised.

I remember Moral Science classes in school where we were taught the virtues of honesty and loving my neighbor, respecting my elders et al. This shaped me into a responsible human being and I believe that the same values are needed when we are talking about computing and internet usage.

12 year olds are trading viruses !

14 year olds are arrested for screwing up a public transport system !! The kid(s) thinks this is fun when grown ups run around crazy just because he / she pressed the enter key without anyone being wiser.

Yes there is the need to include ethical computer usage and it has to start young. It is a recognized fact that training and awareness are the most effective tools in any Information Security implementation, and the same solution has to be brought into the system.

Maybe I shall make a check to see how many management or technology courses include ethical computing as part of their curriculum......... fodder for my next post.

Adios
Dinesh Bareja
"ramble securely"

This lover will take you for a ride !

2007-12-13T14:52:00.000-05:00

A new threat on the Net ....... you may be cozy up with the wrong type of lover. A lover who does not exist and is only a computer program !! This robot will turn you on and get under your skin :)

Cyber lovers warned beware of flirtatious robots

Predatory program can attract 10 partners in 30 minutes

Sandra Rossi, 11/12/2007 15:58:04

Read the full story here

http://www.computerworld.com.au/index.php/id;1672098041;fp;;fpid;;pf;1

Internet users are being warned about a new malware trend involving the use of natural language dialogue systems that are already deployed within gaming technologies.

The software conducts fully automated flirtatious conversations in a bid to collect personal data from those seeking relationships online.

Its the war syndrome....

2007-12-11T14:11:00.000-05:00

The generals have new weapons. The generals need not be uniformed with rows of medals on their chests . Their armies need not be working out everyday to be in good health etc.... They may never step out into the open to wage war because they attack through computers and networks using invisible bits and bytes to inflict more damage than "Little Boy" and it's descendants.

Well MI-5 has warned UK based corporations to be aware of Chinese espionage. The statement makes a vague reference to 'other states' but that is unqualified.
(Check the story at http://news.bbc.co.uk/1/hi/business/7123970.stm)

Then we have the White House, yesterday, asking for a few millions to fortify cybersecurity and $ 115 m is not small change.

To add to the terror scenario we have a teenager who was controlling the largest botnet from idyllic New Zealand. And then the personal data of a person no less than the Information Commissioner is farmed off the net at a cost of 35 p in less than an hour !
http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/12/04/ndata204.xml

So is the Internet going to become the nemesis of mankind ? Is this where they will launch wars of a personal nature or against a state ? And the intensity of the weapons will overshadow the infamous invisible WMDs.

The enemy may well be sitting at a console next to you in the neighborhood cybercafe.

Everyday we have a new doomsday scenario tale and a small world becomes smaller.

Dinesh O Bareja

120 countries building cyber-war capacity

2007-12-04T08:51:00.000-05:00

*_McAfee report: Cyberespionage to be a top 2008 national security threat_*

By Jim Carr
03 December 2007

http://www.securecomputing.net.au/news/98544,mcafee-report-cyberespionage-to-be-a-top-2008-national-security-threat.aspx <http://www.securecomputing.net.au/news/98544,mcafee-report-cyberespionage-to-be-a-top-2008-national-security-threat.aspx>

A rise in international cyberspying will pose the most significant threat to the national security of the United States in 2008, according to a report from anti-virus vendor McAfee.

The company said that governments and "allied groups" will turn to cyberspying and cyberattacks against targets such as electricity grids, air-traffic control systems, financial markets and government networks - all critical infrastructure that, if compromised, could affect the country's national security, according to the report.

McAfee's annual "Virtual Criminology Report," which looks at global cybersecurity trends, was conducted in conjunction with NATO, the FBI, the Serious Organised Crime Agency (SOCA), an independent organisation formed by the United Kingdom's Home Office, and security experts from non-profit organizations and universities.

"Cybercrime is now a global issue," Jeff Green, senior vice president of McAfee Avert Labs and product development, said in a prepared statement. "It has evolved significantly and is no longer just a threat to industry and individuals but increasingly to national security. We're seeing emerging threats from increasingly sophisticated groups attacking organizations around
the world. Technology is only part of the solution, and over the next five years, we will start to see international governments take action."

Tim Jemal, senior vice president of government relations for the Cyber Security Industry Alliance (CSIA), cited this year's attack on Estonian interests as an example of governments being targeted by malicious hacker groups.

Cyberthreats to the United States pose a growing risk to national security, that's true," he said. "When a technology-savvy county like Estonia was recently crippled by botnet attack from Russian sources, it's a clear indication that cyberspace is being used by some criminal sources to
destabilize countries, and the United States is definitely a target."

Other trends include increasing threats to online financial services and the emergence of a complex and sophisticated market for malware, according to the report, which noted that 120 countries "now use the internet for web-espionage operations," with many of the cyberattacks originating from China.

While Jemal wouldn't comment on McAfee's estimate of 120 countries involved in web-based espionage, he said many were using the internet in other malicious activities.

"Twenty-five nations, including China, are engaged in cyberwarfare programs," he said. "They use cyberspace as a weapon against another country."

The report also indicates that cyberattacks have become "more sophisticated, progressing from initial curiosity probes to well-funded, well-organised operations designed." These operations, designed to slip under the radar of government defenses, increasingly encompass political, military, economic and technical espionage, according to the report.

Cybercriminals are also developing new attack methods. These include "vishing," or phishing via Voice over IP phone networks, and "phreaking," hacking into telephone networks to make long-distance phone calls.

Bhelpuri - the ultimate privacy mish mash

2007-12-02T10:21:00.000-05:00

Inspired by

http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms

Isn't it apt that identity and card information was available in a bhelpuri, and that too at the hands of a techie with the source being the world's largest chip maker and the world\s largest car rental company.

The bhelpuri is the ultimate Indian smorgasbord - a mish mash of a snack which can be spiced up on a scale of 0 to infinity and can symbolize all the regulations and controls thrown into a wrapper and mixed into obliviion so no one knows what came from where - just pass the audit, make sure there is evidence controls.

Oh, I am digressing, this can be a plot for a new Bollywood blockbuster "Secure Bhel" and the catch line will be CIA on the street.... Compromised and Internationally Available.

Is this another lapse which is being swept under the carpet ? Now we wonder, as security professionals, that if a company on the bleeding edge of technology can send private data in this manner what is the state of it's internal systems. Not that they will reveal this.

Well that is the international giant, the bleeding edge technology company and they do not have a clue about security of private information, because they are busy securing technology IP. So how about the leading car rental company which handles tons of personal data from credit cards to driver licences, addresses, birthdates, travel plans etc - so how does current and valid personal data land up in a snack ! Is this how they treat personal data of clients - boy I would love to audit them and take them to the cleaners.

This rambling was prompted by this article......

Credit card info found on bhelpuri wrapper
1 Dec 2007, 0238 hrs IST,Kavita Kukday,TNN

MUMBAI: On Tuesday evening, Aneesh, a media professional in his thirties, bought a packet of bhelpuri from the roadside vendor in MIDC, Andheri. While munching on the snack, he happened to glance at the paper cone in which the vendor had mixed the bhel. His curiosity was piqued. It was a computer printout of an invoice for a car rental. Once he had eaten up his bhel, he studied it carefully: it had the name of a credit card holder, the 16-digit credit card number, the three-digit batch number (from the back of the card) and the expiry date. In short, all the ammo needed for online transactions.

It was an American Express card. The request had gone on email from tech firm Intel to Avis, an international car rental firm with offices in India. It was sent in March last year for an Intel guest who was staying at the Grand Hyatt and needed to hire a car for a day. Despite the invoice being more than a year old, the expiry date (Feb 2008) showed that the card was still valid. To heighten the risk, it was a company credit card, which automatically scales up the chances of misuse --- not only is the credit limit higher even the authenticity of the spends are tougher to track.

So how did such sensitive information find its way to the bhelwalla? While the paper trail is hard to trace to source, an important stop must certainly have been the raddiwalla.

An Intel spokesperson said, "It is an unfortunate incident and Intel is deeply concerned. We hold our employee confidentiality in the highest respect. We are currently investigating the matter."

Those in the credit card business warn that this is not an isolated case. Security norms for digital transactions are still very lax in India, and the use of shredders for documents is almost non-existent.

The bhel-puri credit card story, however, had a safe ending. The person eating bhel didn't head for the nearest cyber cafe. He carefully ironed out the paper cone and passed it on to a writer friend, who called TOI.

http://timesofindia .indiatimes. com/articleshow/ msid-2586516, prtpage-1. cms

Weapons of Mass Destruction ? The next battleground

2007-10-22T23:18:00.000-04:00

No one found the WMDs ! The reason is simple ... the search was in all the wrong places.

They do exist but not in the tangible world as we know them. The WMDs we have grown up with are the nuclear devices, the chemical weapons, the large armies, the terrorists. These are passe.

WMDs today are unseen, they are invisible bits and bytes that can travel over fiber optic across continents before you can blink. These bits and bytes, shaped by some 'beautiful' criminal mind into a virus, a trojan, a DOS to wreak havoc and bring terror to the doorstep of the common man.

Critical infrastructure like airports, dams, utilities, power and nuclear facilities, defence facilities are on alert against the risk of attack but with barriers and para-military forces the threat is mitigated. What about the WMD attack - the attack which comes stealthily via the internet in the form of trojans, viruses, rootkits, web-bots etc. An attack which can paralyze the airport or can shutdown the nuclear facility.

Webface defacements, hacking, data theft and such IT crime is commonplace today and we have new reports daily - globally. So it is easy for a terrorist to construct the WMD and let it loose for destruction.

So how do we search and control those evil designs. The answers may be in a reorientation of education at all levels. By the inclusion of ethics in system design and development, in the use of technology. Or will it be necessary for system development to be licenced and controlled by governments as is the case with the manufacture of nuclear and conventional weapons.

Recent events in Estonia have shown what the WMD can do, and we do not know whether the hills of Kandhar have classes in computer technology after the wannabe terrorist has finished target practice and the indoctrination lecture for the day.

Thoughts to ramble on, and yes it is a terrifying thought but what if it was another 'Live Free Die Hard' scenario.

Rambing Securely

2007-10-22T23:07:00.000-04:00

Yes I would like to make this a space to ramble on and on about InfoSec. Passionate I am about this from the day I realized that this is something which is where I want to be.

It was sometime in 2000 or earlier that I was exposed to the thought of security in technology. And I was excited about the subject and got to reading whatever I could get my hands on. Learnt what continuity meant, and that there existed a CIA triad which was the basis of all secure thought. And that the Deming cycle meant a lot to make life secure.

One has come a long way and I have gathered a lot of moss ...... and the excitement continues ! The passion is as strong as ever, and the quest for knowledge stronger.

With all the churn in the mind, I keep rambling, so I decided to blog all these thoughts. And maybe start some discussions which may (hopefully) lead to better something someplace.