Year: 2016

Findings Come on the Heels of Successful CSA APAC Congress in Bengaluru

Bengaluru, India – November 22, 2016 – The Cloud Security Alliance (CSA), the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment, successfully hosted its 4th CSA APAC Congress on 22nd-23rd November in Bengaluru, India. This two-day event hosted delegates from over 300 international government organizations, industry, academia, and professionals attending with compelling presentations and interesting discussions about research, development, practice and trends related to cloud security.

The conference featured some of the region’s and world’s most influential minds in information security and cloud computing including:

• Shri. Ajay Kumar, Additional Secretary at Ministry of Electronics & Information technology
• Rajiv R. Chetwani, Director Information Systems Programme Office at ISRO
• Sri. Raj Kumar Srivastava, IFS , Managing director , Karnataka State Electronics,Development Corporation Limited
• Dr. Amar Prasad Reddy , Director General at National Cyber- Safety & Security Standards
• Jim Reavis, Co-founder & CEO of Cloud Security Alliance
• Dr. Meng Chow Kang, Chief Information Security Officer, APJC Region at Cisco Systems, Inc.
• Juanita Koilpillai, Founder & CEO of Waverley Labs
• Rudra Murthy, CISO, Digital India at Ministry of Home Affairs
• Debabrata Nayak, Chief Security Officer at Huawei
• Dr. Vikram Sharma, Founding Director & Chief Executive Officer at Quintessence Labs
• Clayton Jones, Managing Director Asia- Pacific, (ISC)2

For additional information and the agenda, visit https://www.eventbank.com/event/648/

Cloud Security Alliance also announced the release of the survey report State of Cloud Adoption in India. This report is part of an ongoing series of research initiatives, to provide insights on cloud adoption across the APAC region, to recognize APAC countries leading the cloud adoption trend, as well as to identify countries with opportunities for cloud computing adoption. The State of Cloud Adoption in India report posed two key findings for the region:

• A lack of established industry standards within the Indian cloud computing industry is a lingering problem the country faces. Public cloud services offered in India by local providers are commonly proprietary to a great extent, which may pose challenges for cloud consumers in case they wanted to develop a global IT strategy; not to mention moving from one cloud provider to another. In addition, the current state of relevant national standards in India is not compatible and aligned with global standards.
• Indian organizations are extremely concerned about security, especially data sovereignty. Organizations are most worried about their data on the cloud. Data breach and data loss are major concerns of organizations from a cloud security perspective.

Aloysius Cheang, Executive Vice President and Managing Director APAC of the Cloud Security Alliance said, “This study is critical for us to understand the current landscape in India. The results are both expected and shocking. It is expected that data sovereignty and data breach will continue to toe the top line concerns of senior management in companies in India and other parts of the world. But it is shocking to find that while there is an increase usage of cloud services in India, but the maturity and the strategic use of cloud services lags where behind other countries that we have surveyed. Coming from the ICT capital of the world, that is shocking”.

Speaking at the launch, Sandip Kumar Panda, CEO – InstaSafe said “While Cloud adoption in India is on the rise, security concerns still dominate a lot of discussions about movement to cloud. The objective of conducting this survey, in conjunction with CSA, was to understand the Indian CIO’s mindset, the current adoption status, unearth gaps in widespread adoption and work with the industry to help assuage those fears. It would be imperative for Indian CIO’s to read the report to understand where they are on the adoption cycle and work with their vendors in asking the right questions.”

In addition to the other conference highlights, CSA announced the release of a new research working group SaaS Governance.

SaaS Governance Working Group

The SaaS Governance Working Group aims to benefit all parties in the Software-as-a-Service (SaaS) ecosystem by supporting a common understanding of SaaS related risks from the perspectives of the cloud customer and cloud service provider. Security and privacy are the primary concerns for organizations considering SaaS adoption, and recent research indicates that 77% of SaaS-adopting organizations have experienced SaaS-specific security incidents. SaaS services account for the bulk of the cloud industry market, and any security incident could critically impact cloud customers. SaaS services present unique risks to their cloud customers such as highly business process specific, handle and store critical business and personal data, and much more. Due to heavy competitive pressure in the SaaS market today, security is too often not a top priority for SaaS providers – especially for the smaller providers that may not have the necessary security expertise to identify and manage the risks that could impact cloud customers and the cloud provider’s own operations.

For more information on on the SaaS Governance Working group along with other CSA research initiatives, events and education, visit https://cloudsecurityalliance.org.

About Cloud Security Alliance

The Cloud Security Alliance (CSA) is the world’s leading organization dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment. CSA harnesses the subject matter expertise of industry practitioners, associations, governments, and its corporate and individual members to offer cloud security-specific research, education, certification, events and products. CSA’s activities, knowledge and extensive network benefit the entire community impacted by cloud — from providers and customers, to governments, entrepreneurs and the assurance industry — and provide a forum through which diverse parties can work together to create and maintain a trusted cloud ecosystem. CSA has developed the definitive best practices for the industry, such as the “Security Guidance for Critical Areas of Focus in Cloud Computing”, the “Cloud Controls Matrix”, “Top Threats to Cloud Computing” and 50 other cloud security research artifacts.

[Cloud Security Alliance Research News]

It’s time to flip our thinking about enterprise information security. For a long time, the starting point of our tech stacks has been the network. We employ a whole series of solutions on servers and networks—from monitoring and alerts to policies and procedures—to prevent a network breach. We then install some antivirus and malware detection tools on laptops and devices to catch anything that might infect the network through endpoints.

But this approach isn’t working. The bad guys are still getting in. We like to think we can just keep building a bigger wall, but motivated cybercriminals and insiders keep figuring out ways to jump over it or tunnel underneath it. How? By targeting users, not the network. Today, one-third of data compromises are caused by insiders, either maliciously and unwittingly.

Just because we have antivirus software or malware detection on our users’ devices doesn’t mean we’re protected. Those tools are only effective about 60% to 70% of the time at best. And with the increasing prevalence of BYOD, we can’t control everything on an employee’s device.

Even when we do control enterprise-issued devices, our security tools can’t prevent a laptop from being stolen. Or keep an employee from downloading client data onto a USB drive. Or stop a high-level employee from emailing sensitive data to a spear phisher posing as a co-worker.

We need to change our thinking. We need to admit that breaches are inevitable and be prepared to quickly recover and remediate. That means starting at the outside, with our increasingly vulnerable endpoints.

With a good endpoint backup system in place, one that’s backing up data in real time, you gain a window into all your data. You can see exactly where an attack started and what path it took. You can see what an employee who just gave his two weeks’ notice is doing with data. You can see if a stolen laptop has any sensitive data on it, so you know if it’s reportable or not.

By starting with endpoints, you eliminate blind spots. And isn’t that the ultimate goal of enterprise infosec?

To learn more about the starting point in the modern security stack watch the on-demand webinar.

Vijay Ramanathan, Vice President of Product Management, Code42

[Cloud Security Alliance Blog]

There are some technologies that seem to have their own “gravitational pull.” By this, I don’t just mean technologies that are interesting, compelling to the business, or likely to be considered by businesses. Instead, I’m referring to those technologies that exert a steady, near-continuous and (one might argue) irresistible pressure across multiple areas of the organization to adopt.

Cloud, mobile, and social media are all examples of technologies like this. Say “no” to the sales team’s request to use a Software as a Service (SaaS) tool today, and chances are you’ll be talking to the marketing team about a similar tool next week. These technologies, when they arise, are usually highly advantageous to the business, have a diverse potential use base, low barriers to adoption and a high degree of awareness among end-user customers.

It’s important to pay attention when new technologies like this land on the scene for a few reasons.

First, the potential for shadow adoption is high. Compelling usage, coupled with low barriers gating that usage, mean that individual business units (or individual employees) might take it upon themselves to employ it without thinking to inform or engage with technology (let alone security or assurance) teams. As a consequence, a given assurance, security or risk practitioner might not know the usage is there until after it is entrenched.

Second, adoption changes the risk dynamics of the organization. New risks are potentially introduced while old ones are potentially reduced and business value potentially increases. From a holistic risk perspective, therefore, it is imperative that practitioners evaluate these technologies and understand their risk impact even though they may have limited time to do so in light of shadow adoption.

While still relatively new, application containerization is demonstrating many of the above properties.

Application containerization represents a mechanism that allows the creation of modularized, packaged application functionality that contains the application as well as any configuration or underlying support software required for the application to run. By virtue of them being small and componentized, the containers are portable between environments; they leverage the segmentation features of the operating system on which they run to enforce segmentation between different containers on the same OS instance. The portability offered helps enable development while the comparative efficiency (relative to, for example, OS virtualization) offers potentially increased allocation density of applications per physical device.

In light of these factors, ISACA has issued a pair of white papers on application containerization. The first volume outlines what application containerization is: the business drivers causing its popularity, the value proposition for developers and datacenter managers, and a description of what the technology offers, and how it works. The second volume outlines the practitioner impact: why the security, assurance, risk, or governance practitioner should care and what they can do to help prepare for risk and control decisions that involve application containers.

It is our hope that this guidance will assist practitioners as they approach risk decisions relative to containers within their environments and assist them in evaluating usage scenarios as containers and micro-services rise in prominence. By laying out the value proposition to the business and providing a working understanding of its technical operation, as well as outlining some of the risk considerations, we hope to arm practitioners with the information they need to approach these decisions with confidence.

Ed Moyle, Director of Thought Leadership and Research, ISACA

[ISACA Now Blog]

ISACA Now recently had the opportunity for a Q&A with Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD and ISACA International Vice President. Barnes is practice lead, Governance Advisory at Vital Interacts (Australia). He has more than 20 years of experience in information and IT security, IT audit and risk management, and governance, having worked in a number of New South Wales (NSW) public sector agencies and in banking and consulting.

Who is deploying ransomware?
Ransomware is developed and deployed by cybercriminals looking primarily to gain financial rewards. Some ransomware will encrypt your files preventing you from gaining access while earlier types locked your computer by displaying pornography or other images. The ransomware contains a demand payment to obtain the key to unlock your system. These payments are routed through untraceable digital currencies, via SMS, or simply using cash transfer systems.

In its Q1 2015 Threat Report, McAfee cited a new family of ransomware, CTB-Locker, leading to a rise in attacks. This malware is distributed in numerous ways, and its payload is hidden in layered zip files. According to McAfee, it was supported by an “affiliate” program, enabling it to be easily added to phishing campaigns.

Who are they targeting?
Ransomware developers are targeting the desktop and Android phone devices of both individuals and organizations in North America and Europe, where there is a higher likelihood of the ransom being paid. They use a variety of techniques to deliver their payload, including email and web pop-ups. Recently ransomware has been detected in content management systems such as Joomla! and WordPress. The SynoLocker strain of ransomware targets network storage devices.

What is an organization’s chance of suffering this type of attack?
The odds are pretty high that a ransomware attack will occur. ISACA identified ransomware as one of the Five Cyber Risk Trends for 2016, noting that the instance of victimized enterprises—most of them small businesses—agreeing to make ransomware payments increased from 2.9 percent in 2012 to 41 percent in 2015.

What can be done to prevent it?
There are a number of steps you can take to minimize your risk. Technical controls are important, and security awareness is also key. Users need to be vigilant not to click on links, remain cautious with links and attachments in unsolicited emails, avoid clicking on pop-ups on web sites, and have up-to-date antivirus software.

Desktop architecture should include:

• Reputable A/V to scan for malicious payloads
• Firewalls to prevent unwanted services including blocking Tor
• Periodic back up of both data and software
• Disconnection of the backup storage device after successful backup
• Patching of operating systems and applications
• Use of a web pop-up blocker to prevent clicking on infected ads
• Use of cloud backup may also help

What should be done once your organization has been hit?
A quick response by the affected user is needed, hence the value of security awareness training. Once hit, an organization should activate its incident response process. This would include alerting the service desk so they can contain the impact and prevent others in your business from falling victim. They will need to initiate recovery of data from backup and restoration of the operation system and applications from a reliable copy.

Garry Barnes, CISA, CISM, CGEIT, CRISC, MAICD, past ISACA Board director

[ISACA Now Blog]