Tuesday, May 3, 2016

Malware Are Big Nuisance For Business Houses And Individuals World Over

Business houses and individuals are facing sophisticated malware attacks around the world. This is true about not only big business companies but even small and medium business houses. Cyber criminals are also targeting individuals for sensitive personal and financial information. Ransomware attacks are increasing and they are targeting stakeholders ranging from big hospitals, banks and individual computer users.

Even at the organisational level, the directors and top management are lethargic towards cyber security of the organisation. For instance, the directors of Indian companies are not at all paying attention to cyber security issues. As the Indian government is not pushy at all regarding ensuring cyber security in companies and at the level of Indian cyberspace, these directors are escaping their legal liabilities even if a cyber breach occurs. There are no cyber security breach disclosure norms in India and this makes the directors and top management indifferent toward cyber security related legal obligations in India.

India has no dedicated cyber security law though it is absolutely required due to projects like Digital India and Aadhaar. Cyber criminals are targeting banking sector of India with ease and stealing big amount of money. The Reserve Bank of India (RBI) had even declared that it would open up an IT subsidiary that wold take care of cyber security issues of banks in India. However, till May 2016 there is no sign of such an IT subsidiary. Similarly, the Indian government has appointed Dr. Gulshan Rai as the first Chief Information Security Officer (CISO) of India but much has to be done after this stage.

In the present cyber security environment, malware have emerged as undefeatable and uncontrollable. Cyber security product and services providers have no other option left but to innovate so that sophisticated malware can be detected at the earliest stage. Anonymity tools and use of Dynamic DNS, Fast Flux and Bullet Proof Servers has further complicated the problems for law enforcement agencies world over. Instead of strengthening the cyber security capabilities, law enforcement agencies around the world are barking the wrong tree. They are trying to kill encryption and compromise the cyber security by demanding backdoor in the security products. FBI of US has even gone to the extent of acquiring long arm jurisdiction through US Supreme Court that would allow it to target global computers. This would clearly violate civil liberties and cyber laws of various nations.

Cyber criminals have unlimited resources at their disposal these days. Many of them are even supported by state actors and this allows them to make customised malware that cannot be detected and eliminated by traditional anti virus and security products. As a result the contemporary cyber security products and services are ineffective in preventing such malware from causing damage.

World has already faced sophisticated malware like Stuxnet, Duqu, Flame, Uroburos/Snake, Blackshades, FinFisher, Gameover Zeus (GOZ), etc. These malware were unique as they were detected much after they infected the targeted systems. Some of these systems remained infected for many years and this facilitated targeted cyber espionage and customised infection of these systems.

The financial sector has its own share of cyber security problems and challenges. Malware targeting financial sector are also in circulation for long. These include Carbanak, Vskimmer Trojan, Malware Dump Memory Grabber, etc that cause tremendous financial loss world over. It is not just the financial loss but also loss of faith and goodwill that banks and other financial institutions have to face.

Perry4Law Organisation (P4LO) has provided the “Cyber Security Trends In India 2016” that have predicted that use of botnet and malware would increase in the year 2016. The trends has also predicted that critical infrastructure, cloud computing and e-health would also be on the receiving end. We have already witnessed an increased use of ransomware and malware for targeting hospitals and health industry. Similarly, big corporations are also frequently targeted and their data are encrypted by the cyber criminals. This data is then decrypted only after the ransom is paid by the corporation to the cyber criminal.

The year 2016 would witness an increased use of malware for various purposes like cyber terrorism, cyber warfare and cyber espionage. It is for us to develop both offensive and defensive cyber security capabilities and a robust cyber security infrastructure so that the impact of these malware can be minimised if not eliminated.

Visit - http://cybersecurityofindia.blogspot.com/2016/05/malware-are-big-nuisance-for-businesses.html


IT has engulfed our lives so much that most of our daily activities are dependent on it. And with so many people using it as part of their lives, it has also emerged as a means for criminal activities. It is not just an individual who is threatened by illegal activities in cyber space, but even an entire country's security could be at risk. For instance in 2008, there was news that the email system of the Indian Prime Minister's Office was affected by a computer virus for three months, and upon investigating it was revealed that its computers were being remotely controlled. One might also recall the 2006 train bombings in Mumbai, where terrorists used advanced techniques such as IP address masking for funds transfer and other communications.
Cyber Security is quickly becoming a hot issue. The term itself is relatively new. Many colleges and schools may still list their cyber security degree programs under more general terminology like network security, computer systems analyst, information security, IT or even criminal justice. We predict that CyberSecurity will be one of the biggest and fastest job growth areas in the coming decade. This high paying field is demanding and requires the security expert to constantly keep up with growing computer threats, attacks and changing technology. The great majority of companies have computer networks and must have cyber security personnel now to protect themselves.

Cybersecurity professionals protect data and systems in networks that are connected to the internet. Cybercriminals or hackers strike in various ways by virus attacks, which may erase your entire system or someone can steal confidential information from your systems or even break into your systems and modify your files without your knowledge.
A computer hacker finds out the loopholes in a system and breaks into it, the information security professional, or an ethical hacker has a similar job. He needs to think like a hacker and find the loopholes in the system before a hacker can get to them. As per a website on smejobs the job nature of a cyber security expert is described as below:

Job Profile
The job of a cybersecurity professional includes:
Ethical Hacking into a company’s network to find out what security loopholes need to be fixed
Creating security policy for an organisation
24×7 remote management of security products like firewall
Security auditing, that is, compiling a report on a company’s security system to see if it matches standards
Cyber Forensics, that is, clinical investigation of computer crimes/frauds
Where are the Jobs?
Most of the cybersecurity jobs within government fall in the category of computer specialist, information technology officer, Information technology specialist, assistant chief security officer etc. These jobs are available with various government agencies and departments including Central Bureau of Investigation (FBI), Department of Transportation, Aviation and Defence. This means that cyber security careers will be available in local law enforcement, federal law enforcement, the military, utility companies and homeland security. CyberSecurity careers will also be available in the corporate world with almost any kind of business you can think of. Medical records, ecommerce data, banking information and even small mom and pop businesses will all need cybersecurity workers.

Some of these positions will only require a minimal amount of training such as a certification or an Associate Degree. Others will require a Bachelors, Masters or Doctorate in Cyber Security. There will probably be a shortage of these types of workers for several years to come. That means qualified and trained people should be able to pick and choose the jobs with the best pay and the best working conditions. If you think this may be the career for you, start looking at colleges and exploring the various specializations of study this field has to offer.

Within businesses, the cybersecurity positions available are cybersecurity analyst, research scientist, engineer, senior information security specialist. Most of these jobs are available with government contractors, scientific research laboratories, security consulting firms and IT and security vendor companies.
The common theme of most of these positions is to defend the nation through the development and utilization of cutting-edge systems, procedures, and technologies to prevent future terrorist attacks.

Career Path
Entry Level -  IS Executive Manager (Role: to correlate broad security guidelines of the organisation with security operations.)
Middle Level - IS Manager (Role: Security program management, data security, ploicy creation/maintenance, business continuity/ disaster recovery)
Senior & Top Level - Chief IS Manager (Role: Design and development of information security policy. Regulatory compliance, information security governance)
Senior & Top Level - Security Advisors / Auditors (Role: Advisory services for information security,      policy design, risk assessment, compliance to global/industry standards)
Senior & Top Level - Chief Information Officer (Role: Justifying the cost of ongoing and future investments to mitigate information risks, aligning business objectives with a concise security strategy)
Graduate in any discipline, but software engineers would have preference. A good knowledge of networks and understanding of  hackers mind is essential. It is recommended that one does a course in Cyber Security. Such courses would help a erson learn the tricks of the trade, it does not help joining a course for a few days, but it is recommended that one joins reputed certificate programs and long term programs. Certifications like CISA (Certified Information System Auditor), CISM (Certified Information Security Management) and CISSP (Certified Information Systems Security Professionals) would help a person to start a career in Cybersecurity. Other vendor specific certifications like CCSP (Cisco Certified Security Professional) and MCSE (Microsoft Certified Systems Engineer) also help.

Expected Renumeration
A person with an years experience can expect Rs.3 Lakh per annum. Those with 5 years can get upto 8-10 Lakhs. Those with certifications like CISM, CISSP and CISA can expect annual salaries of 100,000 Rs. abroad.

Cyber Forensics professionals
Cyber Forensics is a new and developing field, which can be described as the study of digital evidence resulting from an incidence of crime. According to pcquest, this science involves investigation and a computer to determine the potential of legal evidence. It helps create preventive intelligence and threat monitoring besides post incident investigations. The growing spectre e-commerce and web-based business transactions has changed the way white- collar crime is committed. Enterprises have become increasingly concerned about the use of computer networks for corporate spying and other similar threats. In addition, extraordinary risk factors such as terrorism in India are also witnessing a strategic change from an operational perspective. India, like elsewhere, is also witnessing an exponential rise in the number of frauds done through computers and IT systems.
From the government's perspective, cyber security has become as important a parameter for national security as physically safeguarding the nation's borders. In fact, there exists a critical dependence of various industries and business sectors on the government-controlled IT infrastructure and networks. And if any vulnerability is attacked by terrorists, it can be disastrous for the country's corporates and businesses. For instance, the banking sector's inter-bank financial settlement process is based on a centralized IT infrastructure that's managed by RBI, and any disruption in the system can cause tremendous loss to the sector. Such high IT dependence is also present in national assets like oil and gas networks, national stock exchanges, railways, air traffic controls, etc. Such systems are prime targets for hackers as well as terror organizations to cause severe business and economic losses to the country. This has further escalated the need to have Cyber Forensics experts in India to preserve country's IT assets against operational and reputation risks. Thus, Cyber Forensics professionals are not just required by enterprises for their information security, but also by government agencies to keep track of nation's cyber security and preserve it from malicious attacks.
Opportunities in Cyber Forensics

A Cyber Forensics professional is required to gather electronic evidence of misuse of computer networks and provide evidence in a court of law to bring the culprits to justice. A Cyber Forensics pro is sought by both public as well as private sector. In the public sector, people are mostly absorbed in law enforcement agencies like cyber crime cells, state forensics departments and central agencies like the CBI. In the private sector, it's the information that is of paramount importance for the enterprises, and so they require professionals to safeguard their data from being stolen and misused and also preserve them from hackers. Additionally, there are specialist companies that work on ethical hacking, Cyber Forensics and IT security. A budding Cyber Forensics expert can start his career as a cyber analyst or engineer for an enterprise after gaining experience and domain knowledge can proceed to niche areas in Cyber Forensics. Also, professionals can divert to freelancing and become independent security consultants.

Read more - http://cybersecuritymis.blogspot.com/p/cyber-security-as-career.html

Monday, May 2, 2016

Ten Important Rules Of Ethical Hacking

The world of ethical hacking too is bound by a set of rules and principles, here are 10 crucial ones!

Time and again we have been bringing you valuable resources on ethical hacking since we know and understand the nature of things as far as security goes. Ethical hacking is picking up steam each day with more and more organisations spending heftily to maintain the sanctity of their systems and data. As such, ethical hacking is a glorious career option in the current scheme of things.

1.Set your goals straight

To begin with, an ethical hacker must start thinking like the intruder. He must be able to identify the loopholes on the target access points or networks that are prone to attack, he must be aware of the repercussions of these loopholes and how the intruder can use it against the same. An ethical hacker then has to find out if anyone at the target notice the intruder's attempts to carry out his/her acts. Finding out and eliminating unauthorised wireless access points is always the top most priority of an ethical hacker.

2.Plan your testing process

You can never be sure when something or the other comes along that could make you take a backseat. Money, personnel, or time is not in your hands, therefore constraints might knock on your door anytime without prior notice. As such, to avoid any untoward incidence, you must identify the networks you intend to test and decide before hand the time period for this process. Once the basics are set right you must specify a testing process that you'll carry out. Planning is crucial and sharing it with all the concerned personnel advisable. An approval of the testing process by all stakeholders involved is also necessary.

3.Ask for permission

Getting permission for your deeds is a must to avoid any legal repercussions that might turn up against you in the future. This permission must be in written and must clearly state that you hold the authorised rights to carry out the particular test you intend for and that the said organisation will back you at all times in case any criminal charges come up against you.

4.Work ethically, work professionally

Refrain from stepping out of the said plan, stick to the set goals and plan. Also, refrain from sharing any information regarding your plan and testing to anyone outside your set domain. As an ethical hacker you're bound to confidentiality and non-disclosure of events that unfold during your hacking process to anyone other than the organisation and concerned authority.

5.Always keep records

Spending countless hours within the confines of a lowly-lit room with a computer and a piping pot of coffee doesn't mean you start to loose it with time. Always maintain formal records of what you do and what you test and what results you get. Notes can be either in paper or electronic, in all cases they must be well maintained.

6.Respect the privacy of others

You're bound to gain access to private information (encryption keys for instance) while on your quest, however, how you use this information is key to being a good ethical hacker and a good human being most importantly. Getting first hand information about others' private lives doesn't give you access to intrude. There's a thin line here that must not be crossed, with great power comes great responsibility, remember?

7.Respect others' rights

It's only human to be proud of your achievements. Once you get through a locked window, chances are you'd want to pry further. However, you must understand that your deeds must not cause harm to the rights of others. Also, use tools of the trade wisely. The same tool you use for an attack might in turn have long lasting implications, a denial of service for instance.

8.Use a scientific process

Follow a scientific/empirical approach while hacking. To begin with set a goal that is quantifiable, meaning you know when you've reached it rather than going around in circles. Your test must be consistent to your findings. If the same test brings out two different results when done twice in the same case scenarios, there's something terribly wrong about how you're going about it.

9.Pick one tool and stick with it

The internet is rife with countless good tools to carry out your process, both free and commercial tools are available. However, rather than being overwhelmed by the sheer quantity, it's ideal you pick up one tool and stick with it.

10.Provide timely progress updates

Many a times the time duration of your test might extend beyond the set interval (over a week for instance). In all such cases, you must provide your organisation with progress updates from time to time rather than waiting for the process to reach a completion.

Credit - http://comexpo-cyber-security.blogspot.com/2014/08/ten-important-rules-of-ethical-hacking.html