decypher Technologies June 2015
decypher Technologies
June 2015
Cyber Security in a Connected World
The fact that even large organizations have fallen prey to cyber attacks is a clear
indication to view Security beyond Compliance and apply Security Engineering
practices to safeguard Information Assets and Information Systems.
With the alarming rate of increase of security breaches and data
compromise, there is an immediate need to safeguard the Information
Asset and the ICT infrastructure by adopting the right strategies for
providing assurance to the organization, shareholders and customers.
Financials results leaked to the media, confidential business plans
compromised, consumer financial and medical data posted on the web, ATMs
being hacked into, state sponsored cyber terrorism, hacking into the critical
infrastructure are just some of the myriad forms of security breaches hitting the
headlines every other day.
2014’s Top Breaches So Far
eBay
145 Million People Affected
Information Compromised: Encrypted passwords, customer names, e-mail IDs mailing addresses, phone numbers, dates of birth
Montana Department of Public Health and
Human Services 4.6 Million People Affected
Information Compromised: Name, addresses, dates of birth, ssn, information related to health assessments, diagnoses, treatments,, prescriptions, insurance Benesse Holding Inc
20.7 Million People Affected
Information Compromised: Customer names, addresses, telephone numbers, birthdates, gender
Paddy Power
650,000 People Affected
Community Health Systems
4.5 Million People Affected
Information Compromised: Names, addresses, birthdates, telephone numbers, SSN Goodwill
868,000 People Affected
Information Compromised: Names, payment card numbers, expiration dates Google
5 Million People Affected
Information Compromised: Usernames and passwords
Home Depot
56 Million People Affected
Information Compromised: Credit and Debit card numbers
May
2014 Jun 2014 Jul 2014
Jul 2014
Information Compromised: Customer Names, Usernames, addresses, email IDs Phone numbers, dates of birth, question-and-answer security questions Aug
2014
Aug
2014 Sep 2014 Sep
2014
Sep 2014
Oct 2014
0 150 Numbers in Millions 0 150 Numbers in Millions
• • • • • •
• • • • • •
Global Trends in Cyber Security Worldwide Landscape
50% of World’s Netizen’s Identity Compromised
Complex connected Infrastructure Security
Dynamic Ever evolving threat landscape
Dynamic Threat Surface area
Ever Changing Vulnerabilities lifecycle
Cyber Attack far too complex to be handled Indian Landscape
2.9 million people fell victim to cybercrime
$4 Billion in direct financial losses
$3.6 Billion spent in time resolving the crime
4 in 5 have been victims of cyber crime
17% of adults online have experienced cybercrime on their mobile phones
National Critical Infrastructure is under attack Confidential
Top three risks in each region of India
Top three risks in each industrial sectors
India Risk Survey-2014, FICCI – Key messages
Industry
segment
Region
segment
Global View
The United States government believes the security of computer systems is
important to the world due to the increased role of Information
Technology (IT) and the growth of the e-commerce sector.
In the European Union, draft legislation would "require all
companies to report attacks on and breaches of their networks to
local authorities, which would be obliged to make them public
International legal issues of cyber security are complicated in nature due
to conflict of laws in cyberspace. There is no universally applicable
cyber security treaty and many legal experts believe that an
international cyber security treaty is urgently required
India View
• • • •
India has no dedicated cyber security regulation though a few provisions can be
found under the rules framed under the Information Technology Act 2000
National Cyber Security Policy of India 2013 has remained ineffective and non-
implementable
Indian cyber security policy has failed to protect civil liberties of Indians including
privacy rights. Civil liberties protection in cyberspace has been blatantly ignored by
Indian government while e-surveillance projects have been kept intact by the Indian
government
No legal obligation for cyber security breach disclosures
Internet Usage – Statistics
India is 3rd in terms of Internet users and
the Information Technology Infrastructure
& Security spending is projected to grow
from 1 bn to 1.5 bn • 65 mn active internet users, up 28% from 51 mn in 2010 • 50 mn users shop online shopping sites • 46+ mn social network users • 346 mn mobile users subscribed to data packages
Reported Attacks
• • •
• • •
Jun’12, Indian's Eastern Navy
Command MoEA, MoHA, DRDO, ITBP -reported attacks NIC email Servers also targeted NTRO believes attacks targeted at networks hosting state secrets Airport Authority of India Servers
attacked Power grid failure
Decypher Technologies is a Cyber Security, Information Technology &
Management Consulting organization. Decypher Technologies provides Cyber
Security engineering consulting services through highly experienced professionals
trained on Ethical Hacking using Open Source tools and Black Box hack methodology.
Decypher Technologies has team of in-house professionals and partners to provide
best in class end-to-end IT Infrastructure and Application consulting.
Introduction
Proven Methodology - Plan –Do-Check-Act
Service Portfolio
Information Security Consulting
Consulting – Third Party Assessments
ISMS – ISO 27001 Consulting and Implementation
Application Security
(i)Security Operation Center
Cyber Forensics & e-Discovery
Sensitive Cyber Crime Investigation
Cyber Security Culture Building
Enterprise Performance Management
Existing Client Panel
Domestic International
Service Offering
Information Security Consulting Offensive Security and Alternative Analysis for Securing Information and Information Systems Approach Our consultants carries out the specific functions of offensive
security, war-gaming, control mechanism assessments through the following :
• Structured design and implementation testing leading to full-scope penetration testing engagements, using custom-built tools to simulate exfiltration tactics related to various persistent attacks
• Testing of security deployment’s performance to
assess preparedness, vulnerabilities and limitations
• Emulate adversary to create real time threat scenario
for meeting the goals of Inspect, Detect and Protect
• Support with focus on intelligence gathering,
profiling, process analysis, 3rd party suppliers, employee awareness and social engineering Value Proposition Focus on often neglected aspects of traditional IT security
implementation and policies by entwining security testing with state of the art security intelligence techniques and demonstrating Return on Investment in security personnel, technology, resources.
Service Offering • APT simulations and Custom Malware Insertion
• Assessment of malware detection capabilities
• Cyber kill chain
• War-gaming exercises
• Specialized perimeter security & compliance assessments
• Penetration Testing of:
• Network Infrastructure including VPN, VOIP
• Wi-Fi networks
• Web and Mobile applications
• Mobility devices
Service Offering Our assessment methodology utilizes analytics and
research oriented techniques so as to provide
value beyond compliance and help organizations
adopt a proactive strategy towards preparedness against information breach or cyber security incident through the following:
Consulting – Third Party Assessments Offensive Security and Alternative Analysis for Securing Information and Information Systems Approach
• • • •
•
•
Assessments for Contractual compliance and
effectiveness
Penetration Testing of Network Infrastructure including
VPN, VOIP,Wi-Fi networks, Web and Mobile
applications
Application Architecture Risk Analysis & Secure Code
Review
Zero-day Vulnerability Management
Digital Forensics and Fraud Analytics
Assessments for Business Continuity
and Disaster Recovery
• Reviewers supported by a team of security researchers for advising on feasible solutions for any identified vulnerability in the technical control environment
• Computer Assisted Review Technique that allows for larger
sampling, reduced touchpoint with auditee, lower cycle time, improved efficiency and accuracy Value Proposition Security beyond compliance with emphasis on research and analytics based reviews in turn assisting clients in optimizing their security investments
• ICT Supply Chain Reviews for Vendor
and Contractors inline with NIST SP 800-161• Information Security Risk Assessments
• Reviews for Security Control
Implementation and Monitoring
•Information security policy formulation;
•Identifying information security objectives and
plans;
•Identifying roles and responsibilities for
information security;
•Communication to the organization about the
importance of adhering to the information
security policy;
•Participation in the ISMS Plan-Do-Check-Act
[PDCA] process, as described in ISO/IEC 27001; &
•Determining the acceptable level of risk.
ISMS – ISO 27001 Consulting and Implementation Approach
Confidential
Value Proposition
Service Offering
• All activities must have a methodical approach.
The method may be arbitrary but it must be well
defined and well documented;
• The company or organization must document
its own security goals.
• All of the security measures considered in the
ISMS .
• The standard offers a broad range of security
controls. The organization must decide which
controls are relevant for them to implement
based on the specific needs of their business;
• A process must ensure the continuous
verification of all elements of the security system
through audits and reviews;
• A process must ensure the continuous
improvement of all elements of the information
and security management system
These practices form the framework within which the
organization will establish an ISMS.
Complete assistance is getting you prepared for a ISO 27001 Certification
Approach
•
for comprehensive OWASP based approach application security testing
•
• • • • •
Static and Dynamic code testing
External attack simulations for identification of
vulnerabilities
Proactive attack surface identification using details of
software components, threats, security controls
Architecture level reviews for assessing conformance
to industry best practices
Testing, Audit of End-to-End IT System including Front-
End, Middleware, Back-End Systems
Application patch packaging, testing and
deployment
•
•
•
•
•
•
•
•
•
Threat Modeling
Architecture Risk Analysis
Secure Code Review
Application Security Review
Mobile Application Security
Penetration Testing
Zero-day Vulnerability Management
Secure Coding Practices
Training on Defensive Programming
Value Proposition End-to-end application security management using industry benchmarks and correlation on the
exploitability through due consideration to the applicable threat vectors and early adoption of proactive risk mitigation strategies thereby ensuring Confidentiality, Integrity and Availability of Information Systems. Confidential
Service Offering
Application Security(Mobile Apps included)
Security Operations Center Managing Security Incidents through timely Detection, Classification, Action and Root Cause Analysis Approach Holistic approach that factors critical phases of Prepare,
Prevent, Detect, Respond, Recover for managing Cyber Security Operations through:
•Real-time monitoring / management
•Aggregate Logs
•Aggregate Data
•Coordinate response and remediation
•Reporting to management, auditors, security staff
•Analytics for incident identification and prioritization
•Post Incident analysis
•Forensics
•Investigations Value Proposition Supporting clients on efficient correlation, data mining
and application of homegrown heuristic analytics methodology for proactive protection and early detection of potential incident causing events. Additionally, we facilitate efficient post incident recovery in compliance with applicable regulations and carry out detailed Post Incident Review analysis for Root Cause identification.
Service Offering • Status Monitoring & Incident Detection –
SIEM/AV/IPS/DLP Console
• Initial Diagnostics and Incident Isolation
• Problem Correctional
• Security Systems & Software
management– DAT Updates/Corrective IDS/IPS, Firewall Rules
• Computing Equipment and Endpoint
monitoring
• Third-Party Vendor interaction
• Escalations and Reporting
• Closure of Incidents
• Analytics based predictive modeling
• Persistent Threat Investigation
Cyber Forensics and e-Discovery
Post Incident Assessment and Evidence Collection and Handling Approach
Access to the XYZ Organization cyber forensics methodology and experienced professionals in
managing the incident investigations and recovery. Controlled and well-designed e-Discovery
workflows inline with the legally mandated evidence handling lifecycle.
Provide training on digital evidence collection process, digital forensics and facilitate lab setup thereby improving the turnaround time for case resolution. Training and exposure to prepare electronic documents using best practices model, regular analysis for ensuring quality, key steps include :
•Acquire electronic data in legally acceptable format
•Initial Production Interview and Data Harvest
•Document Processing for identifying potentially
responsive documents
•Document Production for case management
software such as Summation, Ringtail and
Concordance
•On-line repository through our partner Value Proposition
Service Offering • Identify, Extract, Document computer-
based evidence using deep search technique
• Provide litigation support and expert
testimony
• Forensic tools and analytics capability
for APT detection and Insider threat management
• Investigate theft of intellectual property,
trade secrets, especially software theft
• Investigate Inappropriate usage of
computing resource, Corporate misconduct
• Recover and reconstruct deleted
documents
Approach
Sensitive Cyber Crime Investigation
Post Incident Investigation along with local law enforcement agencies
Value Proposition
Service Offering •Understanding Customer case
•Investigating the incident
•Reach a conclusion
•Investigation support
•Liaising with Cyber Crime
Cell
•Liaising with Cyber Crime
Lawyers
•Digital Forensics analysis
•Empanelled lawyers
practicing in Cyber Laws
Complete Customer Confidentiality during and after the investigation. Single point of contact for all
Cyber Crime related incidents
Cyber Security Culture Building Driving Security Behavior through Training, Awareness and Education for meeting the Organization's Security goals using Gamification Techniques, Simulations & War-game rehearsals
Approach
Structured approach to culture building process in the client organization by utilizing simulation based continual assessment techniques in turn ensuring cyber security maturity amongst individuals. Customized thematic training modules with special focus on lessons learnt during security incidents.
• Simulation based awareness, training and education in cyber security engineering, compliant to NIST SP 800:50
• Periodic assessments of employees through
simulated Social Engineering techniques
• War-gaming scenarios and role play for
security incident handling
• Virtual Training Environment based learning
• Specialized domain trainings for key IT staff
• Customised awareness programs for
Inculcating behavior of reporting incidents, vulnerabilities
Value Proposition
Service Offering
Decypher Technologies Value Preposition
Key Differentiators
End to End Cyber Security Expertise, End point to Infrastructure. Domain
coverage includes Artificial Intelligence, Threat Analytics, Ethical Hacking , Security
Incident Management, etc. including ATM networks.
Topmost professionals in Cyber Security from varied industry domain to
provide risk based consulting Vs only Standard based
Blend of professionals from Business Process, BFSI and Consulting domain
Business enhancing security solution , thus optimizing cost of doing business
More than 600 CIO , CTO’s and CISO’s present in current teams social network
Proven track record in Designing, Developing, Implementing, Managing
holistic security programs for safeguarding Information Assets and Systems for
Global Organizations
Autonomous, Standardized and documented procedural workflows for
optimization and sustainability of security practices at client end
Product Agnostic and flexible approach.
Decypher Technologies
Leadership Team
Partner Profile
Rajesh Sapkal Certified Senior Resource in Information Security/Digital Forensics
Rajesh has over 20 years of experience in areas of Information Security, IT Audit, Application controls, Management controls, Security Procedures and Business Process controls. As a founder of Decypher Technologies, a core Information Security consulting firm, he has been instrumental in successfully completing complex assignments for various organizations and has successfully redone the entire network architecture of a Global MNC bringing it at par with the big IT companies in this space. He has successfully completed Information Security Consulting assignments for various offshore Banks and Financial Institutions and was instrumental in the roll out of DLP at a leading Casino in Macau.
In his role as Global Head – Information Security at Capgemini, he was responsible for ISO 27001 certifications at Capgemini FSSBU (Kanbay). He has also set up a SOC (Security Operations Centre) and handled product comparison, vendor identification and negotiations and was instrumental in the Global roll-out of PGP, RSA and Safeword across Capgemini. In his role in Oracle (as Manager Information Security -India), he handled issues from Compliance, Audit, Abuse cases, Forensic Investigations, Liaison with Cyber Crime division of State Police, Creating Security Awareness etc. In his earlier jobs with KPMG, he successfully completed assignments on SAP controls review, Building application and Network security review, ITGC and risk assessment. He also setup a complete IT organization and handled Project Management for a new process at WNS Global Services.
Rajesh’s areas of proficiency include Security, Public Key Infrastructure, IT Controls Review, Software Engineering, Networking, IT Infrastructure security Audit, IT Security Policy and Procedure Development, Penetration Testing, Application reviews and Application level security, Digital Forensics, Project Management, Defining IT Processes and Procedures, Business Continuity Planning / Disaster Recovery Planning (BCP/DRP), Digital forensics.
Thank You